Method and system for transformation of logical data objects for storage

ABSTRACT

A method and system for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

FIELD OF THE INVENTION

This invention relates to computing systems, and, in particular, tomethods and systems capable of transforming logical data objects to bestored in computing systems and networks thereof.

BACKGROUND OF THE INVENTION

In current business environment, all types of business data are becomingmore and more crucial to business success. The tremendous growth andcomplexity of business-generated data is driving the demand forinformation storage, defining the way of sharing, managing andprotection of information assets.

Typically, no single technology or architecture is able to address allthe needs of any organization. Main storage technologies are described,for example, in the White Paper by EMC, “Leveraging Networked storagefor your business”, March 2003, USA and basically can be identified bylocation and connection type (intra-computer storage, direct attachedstorage (DAS), IP, channel networks, etc.) and by the method that datais accessed. There are three basic types of storage architectures toconsider in connection with methods of data access: Block Access, FileAccess, and Object Access.

In block mode access architecture, the communication between aserver/client and a storage medium occurs in terms of blocks;information is pulled block by block directly from the disk. Theoperation system keeps track of where each piece of information is onthe disk, while the storage medium is usually not aware of the filesystem used to organize the data on the device. When data need to beread or updated, the data are directly accessed from the disk by thatprocessor which knows where each block of data is located on the diskand how to access it. Examples of block mode access storage technologiesare DAS (Direct Attached Storage), SAN (Storage Area Network), BlockStorage over IP (e.g. FCIP, iFCP, iSCSI, etc.), intra-memory storage,etc.

File access requires the server or client to request a file by name, notby physical location. As a result, a storage medium (external storagedevice or storage unit within a computer) is usually responsible to mapfiles back to blocks of data for creating, maintaining and updating thefile system, while the block access is handled “behind the scenes”.Examples of file access storage technologies are NAS (Network AttachedStorage with NFS, CIFS, HTTP, etc. protocols), MPFS (Multi-Pass FileServing), intra-computer file storage, etc. The file access storage maybe implemented, for example, for general purpose files, webapplications, engineering applications (e.g. CAD, CAM, softwaredevelopment, etc.), imaging and 3D data processing, multi-mediastreaming, etc.

Object access further simplifies data access by hiding all details aboutblock, file and storage topology from the application. The object accessoccurs over API integrated in content management application. An exampleof object access storage technology is CAS (Content Addressed Storage).

The logical data objects (data files, image files, data blocks, etc.)may be transformed for transmission and/or storage. The transformationmay comprise compression, encryption, encoding, conversion, etc. and/orcombinations thereof. For example, data compression techniques are usedto reduce the amount of data to be stored or transmitted in order toreduce the storage capacity and transmission time respectively.Compression may be achieved by using different compression algorithms,for instance, a standard compression algorithm, such as that describedby J. Ziv and A. Lempel, “A Universal Algorithm For Sequential DataCompression,” IEEE Transactions on Information Theory, IT-23, pp.337-343 (1997).

Various implementations of compressing data for storage and access tothe stored data are disclosed, for example, in the following patentpublications:

U.S. Pat. No. 5,813,011 (Yoshida et al.) entitled “Storage of acompressed file containing its own compression management table”;

U.S. Pat. No. 5,813,017 (Morris et al.) entitled “System and method forreducing storage requirement in backup subsystems utilizing segmentedcompression and differencing”;

U.S. Pat. No. 5,956,504 (Jagadish et al.) entitled “Method and systemfor compressing a data stream in a database log so as to permit recoveryof only selected portions of the data stream”;

U.S. Pat. No. 6,092,071 (Bolan et al.) entitled “Dedicated input/outputprocessor method and apparatus for access and storage of compresseddata”;

U.S. Pat. No. 6,115,787 (Obara et al.) entitled “Disc storage systemhaving cache memory which stores compressed data”;

U.S. Pat. No. 6,349,375 (Faulkner et al.) entitled “Compression of datain read only storage and embedded systems”;

U.S. Pat. No. 6,449,689 (Corcoran et al.) entitled “System and methodfor efficiently storing compressed data on a hard disk drive”;

U.S. Pat. No. 6,532,121 (Rust et al.) entitled “Compression algorithmwith embedded meta-data for partial record operation augmented withexpansion joints”;

U.S. Patent Application No. 2002/078241 (Vidal et al.) entitled “Methodof accelerating media transfer”;

U.S. Patent Application No. 2004/030,813 (Benveniste et al.) entitled“Method and system for storing memory compressed data onto memorycompressed disks”;

U.S. Patent Application No. 2004/054,858 (Sashikanth et al.) entitled“Method and mechanism for on-line data compression and in-placeupdates”;

U.S. Patent Application No. 2006/230,014 (Amit et al.) entitled “Methodand system for compression of files for storage and operation oncompressed files”;

U.S. Patent Application No. 2006/190,643 (Amit et al.) entitled “Methodand system for compression of data for block mode access storage”.

Data stored in plaintext is open to potential malicious use (e.g.unauthorized access, misuse, theft, etc.), and known in the artsolutions for perimeter and/or access control (e.g. firewalls, VirtualPrivate Networks, LUN masking control and zoning in SAN storagenetworks, NAS security control features, etc.) still leave securityvulnerabilities. Encrypting data to be stored may considerably reducesecurity threats; such encryption may be provided by using differentalgorithms known in the art. The problem of providing encryption ofstoring data with minimal impact on data accessibility and manageabilityhas been recognized in the Prior Art and various systems have beendeveloped to provide a solution, for example:

U.S. Pat. No. 5,235,641 (Kaluse et al.) entitled “File encryption methodand file cryptographic system”;

US Patent Application No. 2004/153,642 (Avida et al.) entitled“Encryption based security system for network storage”;

US Patent application 2005/204,154 (Osali) entitled “Method andapparatus for cryptographic conversion in a data storage system”.

The problem of providing compression of logical data objects combinedwith encryption thereof also has been recognized in the Prior Art andvarious systems have been developed to provide a solution, for example:

U.S. Pat. No. 5,285,497 (Thatcher) entitled “Methods and apparatus forscrambling and unscrambling compressed data streams”

U.S. Pat. No. 6,122,378 (Yoshiura et al.) entitled “Method and devicefor compressing and ciphering data”

U.S. Pat. No. 6,154,542 (Crandall) entitled “Method and apparatus forsimultaneously encrypting and compressing data”

U.S. Pat. No. 6,157,720 (Yoshiura et al.) entitled “Method and apparatusfor encrypting data”

U.S. Patent Application No. 2004/218,760 (Chaudhuri) entitled “Systemand method for data encryption and compression”

U.S. Patent Application No. 2004/264,698 (Oda) entitled “Data encryptingdevice, data decoding device, image data storing device and imageforming apparatus”

GB Patent Application 2,315,575 (Mansour et al.) entitled “Encryptioncircuit in I/O subsystem”

SUMMARY OF THE INVENTION

In accordance with certain aspects of there present invention, there isprovided a method of encrypting a plaintext logical data object forstorage in a storage device operable with at least one storage protocoland a system thereof. Said method comprising:

-   -   in response to a respective request, creating in the storage        device a encrypted logical data object comprising a header and        one or more allocated encrypted sections with predefined size;    -   processing one or more sequentially obtained chunks of plaintext        data corresponding to the encrypting plaintext logical data        object thus giving rise to the processed data chunks, wherein at        least one of said processed data chunks comprises encrypted data        resulting from said processing;    -   sequentially accommodating the processed data chunks into said        encrypted sections in accordance with an order said chunks        received, and    -   facilitating mapping between the data in the plaintext logical        data object and the data accommodated in the encrypted sections.

In accordance with further aspects of the present invention, the mappingis provided with a help of at least one index section constituting apart of the encrypted logical data object, said index section comprisingat least one entry holding at least information related to processeddata chunks accommodated in at least one encrypted section andindication of physical storage location pertaining to said encryptedsection.

In accordance with further aspects of the present invention, data chunksaccommodated in different encrypted sections are encrypted with the helpof different secure keys.

In accordance with further aspects of the present invention, theencryption comprises:

-   -   breaking data in a plaintext data chunk into plaintext        fixed-size segments; and    -   encrypting each said segment of the plaintext data chunk into        encrypted segment with a fixed-size, said encrypted segments        constituting corresponding encrypted data chunk.

In accordance with further aspects of the present invention, theencryption comprises:

-   -   obtaining at least one initial initialization vector; and    -   encrypting the plaintext chunks with the help of a security key        combined with initial initialization vector and/or derivatives        thereof, wherein the security key is the same for data chunks        accommodated into the same encrypted section.

In accordance with further aspects of the present invention theprocessed data chunks are accommodated in a log form, wherein a log of aprocessed data chunk comprises a log header containing information inrespect of an offset of the plaintext data chunk within the plaintextlogical data object, size of said plaintext chunk, and an identifierallowing associating the log with the encrypted section accommodatingthe log.

In accordance with further aspects of the present invention, the indexsection comprises at least one entry associated with at least oneencrypted section, the entry comprising at least one indicator tophysical storage location of the encrypted section and one or more logrecords related to the respective logs accommodated in the encryptedsection and comprising information facilitating mapping between the datain the plaintext logical data object and the data accommodated in theencrypted sections.

In accordance with further aspects of the present invention, eachencrypted section is associated with a flag indicating a use/re-usecondition of respective physical location of the encrypted section, andeach processed data chunk is associated with the same flag as theencrypted section accommodating the chunk.

In accordance with other aspects of the present invention there isprovided a system operable in a storage network and being configured toperform the method stages above. The system may be a part ofcommunication device; a storage device; a stand-alone system capable ofencrypting a plaintext logical data object for storage and operativelycoupled to the storage device in a serial manner, said system acting asa transparent bridge in respect to the storing data; etc.

In accordance with other aspects of the present invention, there isprovided a method of writing a data range to the encrypted logical dataobject, said method comprising:

-   -   in response to respective request, processing one or more        sequentially obtained chunks of plaintext data corresponding to        said data range, wherein at least one of the processed data        chunks comprises encrypted data resulting from said processing;    -   sequentially accommodating the processed data chunks in        accordance with the order these and previous chunks received;        and    -   updating the mapping in a manner facilitating one-to-one        relationship between the data in the range and the data to be        read from the data chunks accommodated in the encrypted logical        object.

In accordance with further aspects of the present invention updating theindex section comprises:

-   -   adding information related to all new data chunks, said        information related to the offset and size of the respective        plaintext data chunks, and    -   updating the previous obtained information related to live        and/or outdated data corresponding to the range.

In accordance with other aspects of the present invention, there isprovided a method of reading a data range from a encrypted logicalobject, said method comprising:

-   -   in response to respective request, discovering all created        and/or last-updated entries in the index section related to the        data within the range;    -   decrypting one of the encrypted sections corresponding to the        discovered entries, and extracting the data to be read in        accordance with the mapping provided by the entries;    -   repeating the above step to one ore more other encrypted        sections corresponding to the discovered entries until        extracting all data from the range; and    -   arranging the extracted data in accordance with their order in        the range.

In accordance with other aspects of the present invention, there isprovided a method of optimization of the encrypted logical data object,said optimization including:

-   -   identifying one or more encrypted sections comprising more than        certain percent of outdated data thus giving rise to outdated        encrypted sections;    -   decrypting the identified outdated sections and extracting live        data;    -   encrypting the extracted live data and sequentially        accommodating in the active section as one or more new processed        chunks; and    -   releasing the outdated encrypted sections from the encryptes        logical data object.

In accordance with other aspects of the present invention, there isprovided a method of recovery a encrypted logical data object, saidmethod comprising:

-   -   initiating a recovery process upon recognizing a recovery status        when opening a logical data object;    -   inspecting the transformed logical object in order to find one        or more unmapped encrypted sections, wherein unmapped encryption        section comprises at least one un-mapped processed data chunk;    -   sequentially decrypting in reversed order the processed data        chunks comprised in said unmapped encrypted sections, starting        from the last processed data chunk until a data chunk with an        opposite flag is found;    -   generating an index section with one or more entries        corresponding to the decrypted processed data chunks; and    -   re-processing the decrypted chunks and providing indication of        successful recovery.

In accordance with other aspects of the present invention, there isprovided a method of encrypting a plaintext logical data object forstorage in a storage device operable with at least one storage protocol,said method comprising:

-   -   in response to a respective request, creating in the storage        device a encrypted logical data object comprising a header and        one or more allocated encrypted sections with predefined size;    -   encrypting one or more sequentially obtained chunks of plaintext        data corresponding to the plaintext logical data object thus        giving rise to the encrypted data chunks; and    -   sequentially accommodating the processed data chunks into said        encrypted sections in accordance with an order said chunks        received, wherein said encrypted sections serve as atomic        elements of encryption/decryption operations during input/output        transactions on the logical data object.

Said method further comprises enabling for each encrypted sectionsubstantial identity between data could be obtained from said encryptionsection if being decrypted and the data in the respective plaintext datachunks accommodated in said section as a result of said encrypting.

In accordance with other aspects of the present invention there isprovided a system operable in a storage network and being configured toperform the methods above. The system may be a part of communicationdevice; a storage device; a stand-alone system capable of encrypting aplaintext logical data object for storage and operatively coupled to thestorage device in a serial manner, said system acting as a transparentbridge in respect to the storing data; etc.

In accordance with other aspects of the present invention, there isprovided a system capable of encrypting a plaintext logical data objectfor storage in a storage device operable with at least one storageprotocol, said system comprising:

-   -   means for creating in the storage device a encrypted logical        data object comprising a header and one or more allocated        encrypted sections with predefined size;    -   means for processing one or more sequentially obtained chunks of        plaintext data corresponding to the encrypting plaintext logical        data object thus giving rise to the processed data chunks,        wherein at least one of said processed data chunks comprises        encrypted data resulting from said processing;    -   means for facilitating sequentially accommodating the processed        data chunks into said encrypted sections in accordance with an        order said chunks received; and    -   means for facilitating mapping between the data in the plaintext        logical data object and the data accommodated in the encrypted        sections.

In accordance with other aspects of the present invention, there isprovided a method of encrypting sequential plaintext chunks to be storedas encrypted logs in a storage device operable with at least one storageprotocol, said encrypting provided with a help of encryption engineoperating data segments with fixed size, the method comprising:

-   -   dividing a first plaintext chunk into two parts thus giving rise        to a primary part and a tail part, wherein the primary part        comprises sequential data starting from the offset of said first        chunk and having size defined as a multiple of said fixed size,        and the tail part comprises the rest data of said first chunk,        said rest of the data less than said fixed size;    -   encrypting the primary part with a secure key and accommodating        the results in the storage device as an encrypted log, thus        giving rise to a first primary log;    -   processing the tail part and accommodating the results in the        storage device sequentially after the primary log, thus giving        rise to a first tail log;    -   obtaining a next plaintext chunk;    -   obtaining the plaintext data from the first tail log, adding        them at the beginning of said next chunk, and dividing the        result in a primary part comprising sequential data starting        from the offset of said obtained plaintext data and having size        defined as a multiple of said fixed size, and the tail part        comprises the rest data of said next chunk, said rest of data        less than said fixed size;    -   encrypting the primary part with said secure key in a next        primary log, said next primary log to be accommodated at a        position after the first primary log; and    -   processing the tail part and accommodating the results in the        storage device sequentially after said next primary log.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to understand the invention and to see how it may be carriedout in practice, certain embodiments will now be described, by way ofnon-limiting example only, with reference to the accompanying drawings,in which:

FIG. 1 is a schematic block diagram of typical storage networkarchitecture as is known in the art;

FIGS. 2 a and 2 b are schematic diagrams of raw and compressed logicaldata objects in accordance with certain embodiments of the presentinvention;

FIGS. 3 a and 3 b are schematic diagrams of plaintext and encryptedlogical data objects in accordance with certain embodiments of thepresent invention;

FIGS. 4 a-4 d are schematic diagrams of original andcompressed/encrypted logical data objects in accordance with certainembodiments of the present invention;

FIG. 5 is a schematic diagram of the transformed logical data object inaccordance with certain embodiments of the present invention;

FIGS. 6 a and 6 b are schematic diagrams illustrating update of thetransformed logical data object in accordance with certain embodimentsof the present invention;

FIG. 7 is a generalized flowchart of creating transformed logical dataobject in accordance with certain embodiments of the present invention;

FIG. 8 is a schematic diagram of the processed logical data objectaccommodated in non-transformed and transformed form in accordance withcertain embodiments of the present invention;

FIG. 9 is a generalized flowchart of write operation on a transformedlogical data object in accordance with certain embodiments of thepresent invention;

FIG. 10 is a generalized flowchart of read operation on a transformedlogical data object in accordance with certain embodiments of thepresent invention;

FIG. 11 a is a generalized flowchart of read operation with specifiedpoint in time in accordance with certain embodiments of the presentinvention;

FIG. 11 b, there a schematic diagram of index section comprising timestamps in accordance with certain embodiments of the present invention.

FIGS. 12 a-12 b are schematic diagrams illustrating non-limitingexamples of encryption transformation in accordance with certainembodiments of the present invention.

FIG. 13 is a schematic functional block diagram of the transformationsystem in accordance with certain embodiments of the present invention.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

In the following detailed description, numerous specific details are setforth in order to provide a thorough understanding of the invention.However, it will be understood by those skilled in the art that thepresent invention may be practiced without these specific details. Inother instances, well-known methods, procedures, components and circuitshave not been described in detail so as not to obscure the presentinvention. In the drawings and descriptions, identical referencenumerals indicate those components that are common to differentembodiments or configurations.

Unless specifically stated otherwise, as apparent from the followingdiscussions, it is appreciated that throughout the specificationdiscussions, utilizing terms such as “processing”, “computing”,“calculating”, “determining”, “generating”, “creating” or the like,refer to the action and/or processes of a computer or computing system,or processor or similar electronic computing device, that manipulateand/or transform data represented as physical, such as electronic,quantities within the computing system's registers and/or memories intoother data, similarly represented as physical quantities within thecomputing system's memories, registers or other such informationstorage, transmission or display devices.

Embodiments of the present invention may use terms such as processor,computer, apparatus, system, sub-system, module, unit, device (in singleor plural form) for performing the operations herein. This may bespecially constructed for the desired purposes, or it may comprise ageneral purpose computer selectively activated or reconfigured by acomputer program stored in the computer. Such a computer program may bestored in a computer readable storage medium such as, but not limitedto, any type of disk including, optical disks, CD-ROMs, magnetic-opticaldisks, read-only memories (ROMs), random access memories (RAMs),electrically programmable read-only memories (EPROMs), electricallyerasable and programmable read only memories (EEPROMs), magnetic oroptical cards, or any other type of media suitable for storingelectronic instructions, and capable of being coupled to a computersystem bus.

The processes/devices (or counterpart terms specified above) anddisplays presented herein are not inherently related to any particularcomputer or other apparatus, unless specifically stated otherwise.Various general purpose systems may be used with programs in accordancewith the teachings herein, or it may prove convenient to construct amore specialized apparatus to perform the desired method. The desiredstructure for a variety of these systems will appear in the descriptionbelow. In addition, embodiments of the present invention are notdescribed with reference to any particular programming language. It willbe appreciated that a variety of programming languages may be used toimplement the teachings of the inventions as described herein.

The references cited in the background teach many principles ofencryption and compression that are applicable to the present invention.Therefore the full contents of these publications are incorporated byreference herein where appropriate for appropriate teachings ofadditional or alternative details, features and/or technical background.

The term “criterion” used in this patent specification should beexpansively construed to cover any compound criterion, including, forexample, several criteria and/or their combination.

The term “logical data object (LO)” used in this patent specificationshould be expansively construed to include any types and granularitiesof data units used in a computing system and handled as one unit (e.g.data files, archive files, image files, database files, memory datablocks, stream data blocks, etc.).

Bearing this in mind, attention is drawn to FIG. 1 illustrating aschematic diagram of typical storage network architectures as known inthe art. The logical data objects (LO) from clients 11 and/or servers 12are transferred via network 13 to storage device(s) 14 (e.g. specializedNAS file servers, general purpose file servers, SAN storage, streamstorage device, etc.). The network comprises one or more communicationdevices 15 (e.g. switch, router, bridge, etc.) facilitating the datatransfer. The storage in the illustrated network may be wholly or partlyimplemented using block mode access and/or file mode access storageprotocols. In file mode access the logical data objects (LOs) areconstituted by files, and the network is IP network (e.g. local areanetwork (LAN), wide area network (WAN), combination thereof, etc.). Inblock mode access embodiments, the logical data objects are constitutedby data blocks and the network is Storage Area Network (SAN)implementing, for example, Fiber Channel or iSCSI protocols. In certainembodiments the storage device 14 a may be directly connected to aserver 12 via block mode access storage protocols (e.g. SCSI, FiberChannel, etc.). Such Direct Access Storage includes, for example, theinternally attached local disk drives or externally attached RAID(redundant array of independent disks) or JBOD (just a bunch of disks),etc.

At least part of the logical data objects may be stored in a transformedform (e.g. a compressed form and/or an encrypted form). Accordingly,they may be transformed (e.g. compressed/decompressed and/orencrypted/decrypted) on a physical or logical communication routebetween the clients/servers and the storage location. The transformationor part thereof may be provided, for example, by the server 12,communication device 15, by a transformation system 16 operativelycoupled to the clients/servers and the storage device, by the storagedevice 14, etc. Typically the secure keys used for encryption are heldseparately from the device providing encryption and/or storage, forexample, they may be held at a key holding platform 17 operativelycoupled with the transformation platform 16. Likewise, coding tables andsimilar external data involved in the transformation process may be heldseparate from the processing and/or storage devices.

Note that the invention is not bound by the specific architecturedescribed with reference to FIG. 1. Those versed in the art will readilyappreciate that the invention is, likewise, applicable to any computingsystems and any storage network architecture facilitating transformationof one or more logical data objects on a physical and/or logical routebetween a computer sending data access request to the logical dataobject and a storage location of the appropriate transformed data,including embodiments wherein transformation (e.g. compression and/orencryption) and storage are provided at the same physical location.

FIGS. 2 a-2 b, 3 a-3 b, and 4 a-4 d illustrate schematic diagrams oforiginal and transformed logical data objects in accordance with certainembodiments of the present invention. The transformation may comprisecompression, encryption, encoding, conversion, etc. and/or combinationsthereof. The transformation illustrated in FIGS. 2 a-2 b is compressionof logical data objects, in FIGS. 3 a-3 b—encryption of logical dataobjects, and in FIGS. 4 a-4 d the illustrated transformation includes acombination of compression and encryption. For purpose of illustrationonly the following description is made with respect to processinglogical data objects by the transformation system 16, writing theprocessed data to the storage device 14, reading the data to bede-transformed (e.g. decrypted, decompressed, etc.) from the storagedevice, and de-transforming them by the transformation system 16. Itshould be noted, however, that the present invention is applicable in asimilar manner to transformation/de-transformation provided by anypurpose device operatively located on a physical and/or logical routebetween a computer sending access-related request (e.g. open, read,write, etc.) to the LO and a storage location of appropriate transformeddata (including the end points of said route). The describedfunctionalities of the transformation system may be provided indifferent ways. For example, the transformation system 16 may beintegrated in one or more said devices “inter alias”, the functionalityof the transformation system may be implemented in one or morespecialized boards, distributed (fully or partly) between other modulesof at least one device, etc. The integration may be provided in adifferent manner and implemented in software and/or firmware and/orhardware. The integration may be provided with any storage networkelements (for example, file servers, enterprise and network switches,routers, storage devices, etc.), etc.

Also it should be noted that the invention is, likewise, applicable towriting the processed data in a memory of any device on said route andlater forwarding the entire transformed LO or parts thereof for storingat a storage location, as well as for forwarding the transformed data tobe read from the storage location to any device on said route andfurther de-transformation.

For purpose of illustration only, the following description is made withrespect to an adaptive dictionary-based data compression algorithm (e.g.Lempel-Ziv). It should be noted that the invention is not bound by thisalgorithm and is, likewise, applicable to any other sequential datacompression algorithm. Among advantages of certain embodiments using theadaptive dictionary-based compression algorithm, is gainingcompression/decompression performance.

Also for purpose of illustration only, the following description is madewith respect to a block cipher using secret-key symmetric algorithm(e.g. IDEA—International Data Encryption Algorithm). It should be notedthat the invention is not bound by this algorithm and is, likewise,applicable to any other, symmetric or asymmetric, encryption algorithmcapable to break a block of plaintext data into segments and totransform each plaintext segment of the block into a segment ofciphertext.

FIGS. 2 a, 3 a, 4 a and 4 b illustrate schematic diagrams of originaland transformed logical data objects in accordance with certainembodiments of the present invention for file mode access. Thetransformation system 16 is configured to intercept file call operations(file access-related requests) as well as some control transactions(e.g. set end of file) and to act as a proxy on certain transactions(e.g. keeping the throughput on most control transactions and proxy ondata transactions and certain control transactions). The transformationsystem is capable of deriving and processing data corresponding to theintercepted file access-related request, facilitating communication withand/or within the file system for storing the processed data at thestorage medium as at least one transformed file and/or facilitatingde-transformation of at least part of the processed data correspondingto the intercepted file request. During “write” operation on the filesto be processed for storage, the transformation system 16 receives fromthe clients 11 and/or the servers 12 through the network 13 datacorresponding to said files, transforms the data and facilitates writingat the file storage device 14. A “read” operation proceeds in reversedirection; the required files are retrieved by the transformationsystem, de-transformed (partly or entirely, in accordance with requireddata range) and sent to the appropriate client/server. When appropriate,the transformation system is capable to communicate with the externalplatform (e.g. keys holding platform 17) for obtaining external datainvolved in the transformation process (e.g. secure keys and/or securevalue or other metadata thereof involved in the transformation).

FIGS. 2 b, 3 b, 4 c and 4 d illustrate schematic diagrams of originaland transformed logical data objects in accordance with certainembodiments of the present invention for block mode access. As known inthe art, typical storage systems and networks are able to recognize thedivided organization of storage. A storage disk or a set of disks may beconceptually divided into logical unit(s). The storage logical units(LU) can directly correspond to volume drive, to host application,storage device, etc. and constitute a logical representation of physicalstorage. Each logical unit has an address, known as the logical unitnumber (LUN), which allows it to be uniquely identified. Users candetermine whether a LUN is a disk drive, a number of disk drives, apartition on a disk drive, combinations thereof, etc. In certainembodiments of the present invention, one or more LUs accommodatetransformed data, while the transformation system is configured tocreate in respect to the storage logical units corresponding virtuallogical units (VLUs) arranged to virtually represent in anon-transformed form the data stored in the storage logical Unit (i.e.the original data); intercept data access-related requests addressed tothe storage logical unit and address said request to the virtual logicalunit; and facilitate mapping between the transformed data and theirnon-transformed virtual representation at the virtual logical unit.Thus, in accordance with certain aspects of the present invention, thecomputer's operating system (OS) will relate to the VLU as a virtualrepresentation of non-transformed data (original LO).

The ratio between the sizes of VLU and LU may be predefined and/or beadaptable during the transformation process. For example, as will befurther detailed with reference to FIG. 2 b for the case of compressingtransformation, the ratio between the size of LU and VLU may be definedin accordance with the expected compression rate (e.g. the size of thevirtual logical unit may correspond to an estimated size of raw datawhich, being compressed, would substantially amount to the size of thestorage logical unit) and adapted in accordance with real compressionratio.

For purpose of illustration only, the following description is made withrespect to certain embodiments wherein each chunk of original data istransformed when it arrives and is written to the storage location inthe transformed form substantially without keeping data in a cache andindependently of processing the other received chunks. It should benoted that the invention is, likewise, applicable, for example, when thereceived chunks are combined or segmented before processing and/orbefore writing in the storage device (e.g. in accordance with sizecriterion). The size of data to be transformed and the size oftransformed data to be written as one portion (and/or size of originaldata to be written as one portion) may be configurable per certaincriteria (e.g. per size of I/O buffer of the transformation systemand/or storage device, characteristics of transformation engine,configurable runtine, characteristics of the storage network, type ofincoming and outgoing traffic, etc.). The transformation system mayprovide acknowledgment of writing data to the storage location indifferent modes, e.g. per each written portion, perpredefined/configurable number of portions, per predefined/configurableruntime, etc. depending, for example, on protocols of storage networkand traffic thereof. It should be also noted that in certain embodimentsof the present invention (e.g. as further detailed with reference toFIG. 7) data chunks fitting certain criterion may be stored innon-transformed form resulting from transformation failure or omittingthe transforming processing.

Bearing this in mind, attention is drawn to FIG. 2 a illustrating aschematic diagram of raw and compressed logical data objects inaccordance with certain embodiments of the present invention for filemode access. The chunks of data (202-1-202-6) comprised in uncompressedLO (raw file 201 in the illustrated embodiment) are sequentiallyprocessed into compressed data chunks (207-1-207-6) to be accommodatedinto blocks 205-1, 205-2 (hereinafter referred to as compressed sections(CS)) with a predefined size. It should be noted that, as will befurther detailed with reference to FIG. 7, some chunks of the processeddata may be accommodated in non-compressed form if they do not meetcertain criterion (e.g., when an obtainable compression ratio less thana predefined value, etc.).

Said compressed sections serve as atomic elements ofcompression/decompression operations during input/output transactions onthe files. The compression processing is provided in a manner enablingsubstantial identity between a decompressed compression section and theoriginal data accommodated in said section as result of compression(e.g. in the illustrated example data resulting of decompressing thecompressed section 205-1 will be substantially identical to the originaldata comprised in the chunks 202-1, 201-2 and 201-3).

The size of the compressed sections may be configurable; largercompressed sections provide lower processing overhead and highercompression ratio, while smaller compressed sections provide moreefficient access but higher processing overhead. The size of thecompressed section may be predefined also in accordance with a certaintime-related criterion (e.g. estimated time necessary to compress datawhich, being compressed, would substantially amount to the compressedsection size, etc.).

In certain embodiments of the invention the predefined size of thesections may be equal for all compressed sections (e.g., by way ofnon-limiting example, the compressed sections may have equal size of 1MB). Alternatively, in certain embodiments of the invention, thepredefined size may vary for different compressed sections. For example,each type of data (e.g. text, image, voice, combined, etc.) or logicaldata objects may correspond to predefined size of the compressedsection, and the transformation system during compression may select theappropriate size of the compressed section in accordance with data typedominating in the respective portion of the raw file being compressed(and/or type of LO). Optionally, the compression process may includeadaptive capabilities, providing, for example, optimized compressionalgorithm for compressed data chunks accommodated in differentcompressed sections (e.g. different compression algorithms best suitedfor sections with dominating voice, text, image, etc.).

The real total size of the compressed data accommodated in thecompressed section may be less than the predefined size of thecompressed section as will be further described with reference to FIG.9.

In accordance with certain embodiments of the present invention, theprocessed chunks (207-1-207-6) are accommodated in the compressedsections according to the order of receiving the respective incomingchunks (202-1-202-6), said accommodation may be provided in log form,journal form, or other form of sequential accommodation. The compressedLO (compressed file 203 in the illustrated embodiment) comprises aheader 204, one or more compressed sections 205 and one or more indexsections (IS) 206. The header 204 of the compressed file comprises aunique file descriptor, a flag indicating that the file is currentlyopen (or a recovery status), information about the size of the raw file201, and, optionally, a signature indicating whether the file wasprocessed by the transformation system 16 (also for files which were notcompressed by the transformation system as not fitting certaincriterion, e.g., because of obtainable compression ratio less than apredefined value), etc. In certain embodiments of the invention theheader may have a fixed length. The header and index sections will befurther detailed with reference to FIGS. 5-10.

In other embodiments of the present invention (e.g. in certainembodiments where compressed/decompressed functionalities are integratedwith the storage device, etc.) the header 204 or any of its parts andcombinations thereof may constitute a part of the file system. Forexample, a file identifier used in a certain file system (e.g. node ID)may be used as the unique file descriptor of the compressed file, a filerecord in the file system may be modified and comprise additionalfields, e.g. for information about the size of the raw file, saidsignature, etc. The index section or parts thereof may also constitute apart of the file system.

FIG. 2 b illustrates a schematic diagram of raw and compressed logicaldata objects in accordance with certain embodiments of the presentinvention for the block mode access. The chunks of data comprised inuncompressed (raw) LO are sequentially processed into compressed datachunks (217-1-217-6) to be accommodated into blocks 215-1, 215-2(hereinafter referred to as compressed sections) with a predefined sizeand similar to compressed sections described with reference to FIG. 2 a.Said uncompressed chunks corresponding to the processed data chunks(217-1-217-6) are virtually represented in the VLU 211 as data chunks(212-1-212-6). The compressed sections serve as atomic elements ofcompression/decompression operations during input/output transactions(data access-related requests) on the data blocks. The ratio between thesizes of VLU and LU may be predefined in accordance with certaincriteria (e.g. per dominating type of data in the compressing datablock, per maximal or minimal compression ratio obtainable for saiddata, etc.) or be adaptable during the compression process. By way ofnon-limiting example, in certain embodiments of the present inventionthe ratio between size of VLU and LU is estimated as 3 for e-mails, as 8for a text formatted data, etc. In certain cases the real ratio betweenthe compressed and raw data may be (and/or become) less than theestimated ratio. This difference may cause an overflow of the storagelogical unit, as the computer's operating system (OS) will relate to theVLU still representing free space when the LU is, actually, full up.Accordingly, the transformation system 16 may be configured to detectthe upcoming overflow event (e.g. by determining the actual compressionrate and the free space in LU, etc.) and to facilitate enlarging thestorage logical unit by predefined or calculated space if free capacityin LU does not match certain criterion (e. g. less than a predefinedsize). The transformation system is further configured to detect afailure of said LU enlarging (e.g. because of unavailable additionaldisk space, inability of the storage device to support the dynamic LUchanges, etc.), change the access status of the LU to ‘read only’, andto keep this status until the free capacity in the LU matches the abovecriteria. Similar, the transformation system may be configured tofacilitate releasing of free space in LU if the real ratio between thecompressed and raw data is higher than the estimated ratio.

Likewise described with reference to FIG. 2 a, the compressed chunks areaccommodated in the compressed sections according to the order ofreceiving the respective incoming chunks; said accommodation may beprovided in log form, journal form, or other form of sequentialaccommodation. The compressed LO (LU 213) comprises a header 214, one ormore compressed sections 215, an index section 216 and a free space 218.The header 214 comprises a unique descriptor containing a logical unitnumber (LUN), the size of the virtual logical unit (VLU), the size of LU(optionally), an open/recovery flag, a signature indicating whether atleast part of the storing data were processed by the transformationsystem 16, etc. The header may have a fixed length (e.g., by way ofnon-limiting example, 24 bytes including 4 bytes for the signature, 16bytes for the unique descriptor, 4 bytes for the info about size of thecorresponding virtual logical unit).

In other embodiments of the present invention (e.g. in certainembodiments when compressed/decompressed functionalities are integratedwith the storage device, etc.) the header 214 or any of its parts andcombinations thereof may constitute a part of disk attributes, the indexsection 216 may constitute a part of the disk attributes, etc.

Thus, chunks of data comprised in the original logical data object (LO)of any type are sequentially compressed and accommodated in the receivedorder in one or more compressed sections with predefined size. Thecompression processing is configured in a manner enabling substantialidentity between compression section if being decompressed and theoriginal data accommodated in said section as a result of compression.The chunks accommodated in the same compressed section are compressedusing the same dictionary. As will be further detailed with reference toFIG. 6, the information in the index section facilitates one-to-onerelationship between each point in the original data range and the datato be read from the logs after de-transformation. The compressed datachunks are moved to the storage location in a “sync-flush” mode enablingall pending output to be flushed to the output (storage) buffer withouta reset of compression operation. Thus sync flushing of the compressionbuffer enables using the same dictionary within the compressed sectionwhilst facilitating data integrity. Sync-flush may be implemented indifferent ways, some of them known in the art (e.g. by applyingZ_SYNC_FLUSH parameter in deflate/inflate functions provided in ZLIBcompression library, ZLIB.H—interface of the ‘zlib’ general purposecompression library, version 1.2.3, Jul. 18, 2005, Copyright (C)1995-2005 Jean-Loup Gailly and Mark Adler).

In certain embodiments of the invention the initial k bytes of the datato be compressed are used as a dictionary. The same dictionary isfurther used for compression of the entire first and subsequent chunksof sequential data to be processed/compressed and accommodated in acompressed section, while the dictionary is adapted in accordance withprocessed data, e.g. per Lempel-Ziv algorithm. The process continuesuntil the total size of the compressed data substantially achieves thepredefined size of the compressed section. The next chunk of compresseddata will be accommodated in a subsequent compressed section. Theinitial k bytes in said next chunk will be used for renewing thedictionary to be used for compressing the data accommodated in saidsubsequent compressed section. In certain embodiments of the invention anew compression sequence started in the new compressed section may usethe same initial compression dictionary as the previous sequence.

In certain embodiments of the invention the dictionaries correspondingto data in different compressed sections may be maintained as an entiredictionary comprising certain pointers to appropriate compressedsections. This entire dictionary may be accommodated in one or moreindex sections or be distributed between different index sections and/orcompressed sections. Alternatively, the dictionary may be divided intoseveral separately managed dictionaries corresponding to one or morecompressed sections. In certain embodiments the index section mayaccommodate one or more dictionaries corresponding solely to data in thecompressed sections associated with said index section. In someembodiments each compressed section may comprise a dictionary related tothe data stored in the section.

In certain embodiments of the invention each received portion of rawdata is received, processed, compressed if it fits certain criteria, andwritten to the storage location almost without keeping data in a cache,and independently of processing the other received portions. In otherembodiments of the present invention several received portions may beprocessed together and written in the storage device as one compressedportion.

Among advantages of certain embodiments of the present invention is theability to process and write relatively small chunks of data whereinobtaining capabilities of compression over a relatively large volume ofdata (compressed section); as well as enhanced compression ratiofacilitated by sequential compression of data chunks using the sameadaptive dictionary.

FIG. 3 a illustrates a schematic diagram of original and encryptedlogical data objects in accordance with certain embodiments of thepresent invention for file mode access. The chunks of data (302-1-302-4)comprised in a plaintext LO (plaintext file 301 in the illustratedembodiment) are sequentially processed into encrypted data chunks(307-1-307-4) to be accommodated into blocks 305-1, 305-2 (hereinafterreferred to as encrypted sections (ES) with a predefined size. It shouldbe noted that, as will be further detailed with reference to FIG. 7,some chunks of the processed data may be accommodated in non-encryptedform if they do not meet certain criterion.

Similar to the compression sections described with reference to FIGS. 2a and 2 b, said encrypted sections serve as atomic elements ofencryption/decryption operations during input/output transactions on thefiles. The size of the encrypted sections may be configurable; smallerencrypted sections provide more efficient access but higher processingoverhead. In certain embodiments of the invention the predefined sizemay be equal for all encrypted sections (e.g., by way of non-limitingexample, the encrypted sections may have an equal size of 1 MB).Alternatively, in certain other embodiments of the invention, thepredefined size of the encrypted sections may vary. For example, eachtype of data may correspond to predefined size of the encrypted section,and the transformation system during encryption may select theappropriate size of the encrypted section in accordance with data typedominating in the respective chunk (or a group of chunks) of theplaintext file being encrypted.

In accordance with certain embodiments of the present invention, theprocessed/encrypted chunks (307-1-307-4) are accommodated in theencrypted sections in accordance with the order of receiving respectivechunks of plaintext data, said accommodation may be provided in logform, journal form, etc. The encrypted LO (encrypted file 303 in theillustrated embodiment) comprises a header 304, one or more encryptedsections 305 and one or more index sections (IS) 306. The header 304 ofthe encrypted file comprises a unique file descriptor, a flag indicatingthat the file is currently open (or recovery status), information aboutthe size of the plaintext file 301, and, optionally, a signatureindicating whether the file was processed by the transformation system16 (also for files which were not encrypted by the transformation systemas not fitting certain criterion, e.g., certain authorization marks,certain type of files, etc.). In certain embodiments of the inventionthe header may have a fixed length. The header and index sections willbe further detailed with reference to FIGS. 5-10.

In other embodiments of the present invention (e.g. in certainembodiments where encrypted/decrypted functionalities are integratedwith the storage device, etc.) the header 304 or any of its parts andcombinations thereof may constitute a part of the file system. Forexample, a file identifier used in a certain file system (e.g. node ID)may be used as the unique file descriptor of the encrypted file, a filerecord in the file system may be modified and comprise additionalfields, e.g. for information about the size of the plaintext file, saidsignature, etc. The index section or parts thereof may also constitute apart of the file system.

FIG. 3 b illustrates a schematic diagram of plaintext and encryptedlogical data objects in accordance with certain embodiments of thepresent invention for block mode access. The chunks of data comprised inplaintext LO are sequentially processed into encrypted data chunks(317-1-317-4) to be accommodated in the received order into blocks315-1, 315-2 (hereinafter referred to as encrypted sections) with apredefined size and similar to encrypted sections described withreference to FIG. 2 a. Said plaintext chunks corresponding to theprocessed data chunks (317-1-317-4) are virtually represented in the VLU311 as data chunks (312-1-312-4).

The encrypted LO (LU 313) comprises a header 314, one or more encryptedsections 315, an index section 316 and a free space 318. The header 314comprises a unique descriptor containing a logical unit number (LUN),the size of the virtual logical unit (VLU), the size of LU (optionally),an open/recovery flag, a signature indicating whether at least part ofthe storing data were processed by the transformation system 16, etc.The header and index sections will be further detailed with reference toFIGS. 5-10.

In other embodiments of the present invention (e.g. in certainembodiments when encryption/decryption functionalities are integratedwith the storage device, etc.) the header 314 or any of its parts andcombinations thereof, and/or the index section 316 may constitute a partof disk attributes.

Thus, chunks of data comprised in the original logical data object (LO)of any type are sequentially encrypted and accommodated in the receivedorder in one or more encrypted sections with predefined size.

The encryption processing is configured in a manner enabling substantialidentity between encryption section if being decrypted and the plaintextdata accommodated in said section as a result of encryption.

A block cipher encryption algorithm breaks plaintext data in thereceived chunks into fixed-size segments (e.g. 16 bytes) and encryptseach plaintext segment of the chunk into encrypted segment withfixed-size B. In the illustrated embodiment the transformation system iscapable to round, when the encrypted segments, when necessary to saidfixed size B (e.g. by entering padding data). The first and subsequentchunks of sequential data are encrypted with the same secure key andaccommodated in an encrypted section. The process continues until thetotal size of the encrypted data substantially achieves the predefinedsize of the encrypted section. The next chunk of encrypted data will beaccommodated in a subsequent encrypted section. The data in differentencrypted sections may be encrypted with the same or with differentsecure keys. Also, as will be further detailed with reference to FIG. 6,the information in the index section facilitates one-to-one mappingbetween each point in the original data range and the data to be readfrom the logs after decryption.

The encryption process will be further detailed reference to FIGS. 12 a)and 12 b).

FIGS. 4 a-4 b illustrate schematic diagrams of original and transformedlogical data objects in accordance with certain embodiments of thepresent invention for file mode access, wherein transformation includescompression and encryption.

The chunks of data (402-1-402-4 illustrated in FIG. 4 a) comprised in anoriginal LO (original file 401 in the illustrated embodiment) aresequentially transformed into data chunks (408-1-408-4 illustrated inFIG. 4 b) accommodated into blocks 406-1, 406-2 with a predefined size.Similar to compressed sections detailed with reference to FIGS. 2 a-2 b,and encrypted sections detailed with reference to FIGS. 3 a-3 b, saidblocks serve as atomic elements of compression/decompression andencryption/decryption operations during input/output transactions on thefiles. In the following description the term “accommodation section(AS)” will be used to any storing block configured to accommodatetransformed data chunks (including compressed sections and encryptedsections described above) and serving as atomic elements fortransforming/de-transforming operations in accordance with certainembodiments of the present invention. The accommodation sections mayhave equal predefined size, or, alternatively, during the transformationprocess the transformation system may select a predefined size for acertain accommodation section in accordance with predefined criterion.

Processing the original chunks of data (402-1-402-4) into stored datachunks (408-1-408-4) comprises two processes: 1) compressing theoriginal chunks into compressed data chunks (403-1-403-4), and 2)encrypting the compressed data chunks (403-1-403-4) into encryptedchunks (404-1-404-4) to be accommodated. The processes are synchronizedand provided in parallel, i.e. the compression and encryption processesare coordinated with respect to time (synchronized processes) andconcurrently execute autonomous sets of instructions (parallelprocesses) related, respectively, to compression and to encryption,while the compression, the encryption and the accommodation are providedin a manner preserving the sequence of the original chunks.

In the embodiment illustrated in FIG. 4 a the synchronization of theprocesses is characterized by that each output chunk processed in thecompression process serves as input chunk in the encryption process.Accordingly, the sequences of compressed and encrypted data chunkscorrespond to the sequence of the original data chunks. For example,compression of original chunks 402-1-402-3 into compressed chunks403-1-403-3 finished and encryption of these resulted chunks intoencrypted chunks 204-1-204-3 starts at points in time t_(s1)-t_(s3)respectively. In the illustrated example the compression of the originalchunk 402-4 into compressed chunk 403-4 is finished at t_(s4), while theencryption of the compressed chunk 403-3 into encrypted chunk 404-3 isnot finished till this moment. The encryption of the sequentialcompressed chunk 403-4 into encrypted chunk 404-4 will start after thechunk 404-3 is encrypted (with delay Δt after t_(s3) when thecompression of the chunk 403-4 is finished).

In certain embodiments of the invention each received chunk of originaldata is compressed and sent to be encrypted almost without keeping datain a cache and autonomously of processing the other received chunks. Inother embodiments of the present invention a received chunk may besegmented or several received chunks may be compressed together andfurther encrypted as one compressed chunk.

It should be noted that, as will be further detailed with reference toFIG. 7, the processing of chunks fitting certain criterion may includeonly compression, or only encryption, or neither of them, wherein thesequence of chunks during the processing and accommodation is retainedas corresponding to the sequence of the received chunks.

It should be noted that the invention is not bound by the illustratedway of synchronization and is, likewise, applicable to any other form ofcoordination in time compression and encryption processes, saidcoordination facilitating preserving the sequence of data chunks.

As illustrated in FIG. 4 b, the processed chunks (404-1-404-4) arewritten to the accommodation sections (stored chunks 408-1-408-4) inaccordance with the order of receiving respective chunks of originaldata. The transformed LO (compressed and encrypted file 409 in theillustrated embodiment) comprises a header 405, one or moreaccommodation sections 406 and one or more index sections (IS) 407. Theheader 405 of the transformed file comprises a unique file descriptor, aflag indicating that the file is currently open (or a recovery status),information about the size of the original file 401, and, optionally, asignature indicating whether the file was processed by thetransformation system 16 (also for files which were not encrypted and/orcompressed) by the transformation system as not fitting certaincriterion, e.g., certain authorization marks, certain type of files,certain compression ratio, etc.). In certain embodiments of theinvention the header may have a fixed length. The header and indexsections will be further detailed with reference to FIGS. 5-10.

In other embodiments of the present invention (e.g. in certainembodiments where encrypted/decrypted and/or compression/decompressionfunctionalities are integrated with the storage device, etc.) the header405 or any of its parts and combinations thereof may constitute a partof the file system. For example, a file identifier used in a certainfile system (e.g. node ID) may be used as the unique file descriptor ofthe transformed file, a file record in the file system may be modifiedand comprise additional fields, e.g. for information about the size ofthe original file, said signature, etc. The index section or partsthereof may also constitute a part of the file system.

FIGS. 4 c-4 d illustrate schematic diagrams of original and compressedand encrypted logical data objects in accordance with certainembodiments of the present invention for block mode access. The chunksof data comprised in the original LO are sequentially transformed intodata chunks (418-1-418-4 illustrated in FIG. 4 d) accommodated in thereceived order into accommodation sections 416-1, 416-2. Said originaldata chunks corresponding to the transformed data chunks (418-1-418-4)are virtually represented in the VLU 411 as data chunks (412-1-412-4)illustrated in FIG. 4 c.

Similar to embodiments detailed with reference to FIGS. 4 a and 4 b,processing the original chunks of data (412-1-412-4) into stored datachunks (418-1-418-4) comprises two synchronized parallel processes: 1)compressing the original chunks into compressed data chunks(413-1-413-4), and 2) encrypting the compressed data chunks(413-1-413-4) into encrypted chunks (414-1-414-4) to be accommodated.Accordingly, the compression and encryption processes are coordinatedwith respect to time and execute autonomous sets of instructionsrelated, respectively, to compression and to encryption, while thecompression and the encryption are provided in a manner preserving thesequence of the original chunks. The synchronization of the processes ischaracterized by that each output chunk processed in the compressionprocess serves as an input chunk in the encryption process. Accordingly,the sequences of compressed and encrypted data chunks correspond to thesequence of the original data chunks.

As illustrated in FIG. 4 d, the processed chunks (414-1-414-4) arewritten to the accommodation sections (stored chunks 418-1-418-4) inaccordance with the order of receiving respective chunks of originaldata. The transformed LO (LU 419 comprising compressed and encrypteddata) comprises a header 415, one or more accommodation sections 416,one or more index sections (IS) 417 and a free space 420. The header 415comprises a unique descriptor containing a logical unit number (LUN),the size of the virtual logical unit (VLU), the size of storage logicalunit (optionally), an open/recovery flag, a signature indicating whetherat least part of the storing data were processed by the transformationsystem 16, etc.

In other embodiments of the present invention (e.g. in certainembodiments when encryption/decryption and/or compression/decompressionfunctionalities are integrated with the storage device, etc.) the header415 or any of its parts and combinations thereof may constitute a partof disk attributes, the index section 417 may constitute a part of thedisk attributes, etc.

Thus, chunks of data comprised in the original logical data object (LO)of any type are sequentially transformed and accommodated in thereceived order in one or more accommodation sections, wherein thetransformation comprises compressing and encrypting processes.Compressing the chunks may be provided similar to compressingtransformation described with reference to FIGS. 2 a-b. The initial kbytes of the data to be compressed are used as a dictionary. The samedictionary is used for compression of the first and subsequent chunks ofsequential data to be compressed while the dictionary is adapted inaccordance with processed data, e.g. per Lempel-Ziv algorithm. Theprocess is continued for all chunks to be accommodated (afterencryption) in a certain accommodation section (selection of a sectionfor accommodation is further detailed with reference to FIG. 9). Theinitial k bytes of next chunk of original data to be accommodated in asubsequent accommodation section will be used for renewing thedictionary to be used for compressing the data to be accommodated insaid subsequent accommodation section. In certain other embodiments ofthe invention a new compression sequence started in the new compressedsection may use the same initial compression dictionary as the previoussequence.

Each compressed chunk matching certain criterion is further encryptedbefore storing in respective accommodation section in a manner similarto detailed with reference to FIGS. 3 a-3 b. A block cipher encryptionalgorithm breaks plaintext data in the compressed chunks into fixed-sizesegments. The first and subsequent compressed chunks are encrypted withthe same secure key and accommodated in an appropriate accommodationsection. The process is continued until the total size of the encrypteddata substantially achieves the predefined size of the accommodationsection. The next encrypted chunk will be accommodated in a subsequentaccommodation section. The data to be accommodated in differentaccommodation sections may be encrypted with the same or with differentsecure keys. The encryption process will be further detailed withreference to FIGS. 12 a-12 b. In certain embodiments of the inventionthe transformation system enters padding data (e.g. random characters,blanks, zeros, etc.) in one or more compressed chunks to enable theinput of the block cipher to be an exact multiple of the segments size.When decrypting, the transformation system removes the padding databefore decompression.

FIG. 5 illustrates a schematic diagram of the transformed logical dataobject in accordance with certain embodiments of the present invention.As, by way of non-limiting example, was detailed with reference to FIGS.2 a-b, 3 a-b and 4 a-d, chunks of data comprised in the original logicaldata object (LO) of any type are transformed and sequentiallyaccommodated in the received order in one or more accommodation sections(505A-505F) with predefined size. The accommodation sections serve asatomic elements of transforming/de-transforming operations duringinput/output transactions (data access-related requests) on the logicaldata objects. The transforming processing is configured in a mannerenabling substantial identity between accommodation section if beingde-transformed and the original data accommodated in said section as aresult of transformation.

The transformed LO 503 comprises the header 504, one or moreaccommodation sections (505A-505F) and one or more index sections (506A,506B). The index section is not necessary if the transformed LOcomprises one accommodation section only.

In addition to the sequentially accommodated transformed data chunks,the accommodation section has a unique identifier (typically held in aheader of the accommodation section). The indication of physical storagelocation pertaining to the accommodation section is stored in theaccommodation section itself (e.g. in the header) and/or index section.The information related to external data involved in the transformation(e.g. information related to the secure key used for encryption of thedata chunks comprised in the accommodation section as, for example, keyID, pointer to key physical location, metadata related to the key, etc.)may be stored in the accommodation section itself (e.g. in the section'sheader) and/or index section and/or header 504.

In certain embodiments of the present invention each accommodationsection has an assigned flag (e.g. a bit flag 1 or 0) indicatinguse/re-use condition of the section stored in the accommodation section(e.g. in the header) and/or index section. Accordingly, each transformedchunk within a section has the same flag as the section. Whenaccommodated at a new physical location, the accommodation section isprovided with flag 0. When accommodated at a physical locationpreviously occupied by another accommodation section, the accommodationsection is provided with a flag opposite of the flag of said anotheraccommodation section being rewritten. Accordingly, new transformed datachunks being written to a certain physical location can bedifferentiated from old data chunks previously accommodated at saidphysical location into the old (being rewritten) accommodation sectionas having different flags. This process is further detailed withreference to FIG. 9.

For purpose of illustration only, the following description is made withrespect to transformed data chunks accommodated in a log form (referredto hereinafter as logs). It should be noted that the invention is notbound by the log form and is, likewise, applicable to any other form ofsequential accommodation of the processed chunks of data.

In addition to the transformed data, each log comprises information(typically held in a log's header) in respect of an offset of theoriginal chunk of data within the logical data object, size of saidoriginal chunk, and an identifier allowing associating the log with theaccommodation section which accommodated the log (e.g. ID of thecorresponding accommodation section plus flag indicating use/re-use ofphysical location of the section as described above, etc.). Thisinformation or parts thereof may be stored in transformed and/ornon-transformed form. As will be further detailed for a case ofencryption with reference to FIGS. 12 a-12 b, the logs may also comprisetransformation-related information (e.g. initialization vector, key ID,etc.).

In certain embodiments of the invention the intercepted controltransaction (e.g. “set end of file”/truncate) are written to theaccommodation section as a log sequential to the respective transformeddata chunks and comprising a header with zero value of a data sizefield.

The index section 506 comprises at least one entry associated with atleast one accommodation section, this entry comprising pointer(s) (orother indicators) to physical storage location of the accommodationsection and records related to the respective logs accommodated in theaccommodation section (e.g. offset and size in the original/updated LO,association with the accommodation section, one or more flags assignedto the logs, etc.), said records referred to hereinafter as “logrecords”. Optionally the entry may comprise additional information as,for example, a signature indicating if at least part of logsaccommodated in the accommodation section comprise data innon-encrypted, non-compressed or otherwise non-transformed form, one ormore flags assigned to the accommodation section, dictionary used forcompression of the section, information related to secure key used inthe section, free size for accommodation in said accommodation section,indication of encryption, compression and/or other algorithms usedduring transformation (if variable), etc. In certain embodiments of theinvention the index sections have equal predefined size.

In certain embodiments of the invention the entry comprises only one,mostly updated log record in respect to each log. In other embodiments,e.g. as will be further detailed with reference to FIGS. 11 a-11 b, theentry may comprise updated and outdated records with respect to the samelog.

There are several ways of creating and/or updating the index section506. For example, the first index section may be created substantiallywhen creating the transformed logical object and the following indexsection(s) (if any) may be created when there is no free space in thecurrent (active) index section to accommodate a new entry.Alternatively, the first and/or the following index sections may becreated at a certain time after storing the corresponding accommodationsections based on information thereof, but not later than closing thelogical data object. The corresponding entries may be written/updatedsimultaneously with every update of the stored logical object, or at acertain later time (e.g. when starting a new accommodation section)based on data comprised in the accommodation sections, but not laterthan closing the logical data object. In a case of a failure, the indexsection(s) may be restored based on information comprised in theaccommodation sections as will be further detailed with reference toFIG. 10.

In certain embodiments of the invention the header 504 comprises anindicator (e.g. pointer) to physical location of the first index sectionand each index section has an indicator to the next sequential indexsection. Said indicators constitute one or more links 507 connectingsequential index sections. Optionally, the header 504 may also comprisean indicator to the first accommodation section and each accommodationsection may have an indicator to the next sequential accommodationsection. Said indicators may constitute one or more links connectingsequential accommodation sections.

Among advantages of certain embodiments of the present invention is theability to transform and write variable size chunks of data wherein apredefined size accommodation section is used for de-transforming andreading.

Referring to FIGS. 6 a-b, there are illustrated schematic diagrams oforiginal and transformed logical data objects during an update process.

In the example illustrated in FIG. 6 a, chunks of data 601-1, 601-2 and601-3 constituting the original LO are transformed, correspondently,into sequential logs 608-1, 608-2 and 608-3 accommodated in theaccommodation section 605-1. The index section 606-1 comprisesinformation related to said accommodation section and the logs thereof.By way of non-limiting example, the illustrated index section comprisesaccommodation section ID with a pointer to physical location (QWORD) anda list of respective records comprising offset (QWORD) and length (WORD)for each chunk of original data corresponding to the transformed chunksaccommodated in the section. Generally, the index section also comprisesan indicator (e.g. ID) of the next index section.

The exemplified information in the index section means that datatransformed into log 608-1 correspond to the range AB (offset A, lengthL1); data transformed into log 608-2 corresponds to the range BC (offsetB, length L2); and data transformed into the log 608-3 correspond torange CD (offset C, length L3).

FIG. 6 b illustrates an example of a case when a new data chunk 601-4having length L4 shall replace the data in the original LO starting fromoffset C₁, where (C₁+L4)=E<D. The new chunk of data is transformed andaccommodated in the accommodation section accommodating the previoustransformed logs (referred to hereinafter as an active accommodationsection) if said section comprises enough free space to accommodate saidnew log. If not, as illustrated in the example, the new accommodationsection 605-2 will be opened to accommodate the new log 608-4. Thepreviously accommodated logs are kept unchanged, while the index section606-1 is updated in a maimer facilitating one-to-one relationshipbetween each point in the original data range and the data to be readfrom the logs after de-transformation. In certain embodiments the indexsection comprises only last updated log records; in other embodimentsthe index section may comprise also old log records and special markingfor differentiating between old and updated records. Keeping old recordsin addition to updated records may be useful for certain applications,for example, for continuous data protection as further detailed withreference to FIG. 11.

In the example illustrated in FIG. 6 b the index section comprises onlylast updated records. The updated information in the index section meansthat the updated range AD corresponds to the following data in thetransformed logs: the range AB corresponds to data to be de-transformedfrom the log 608-1 in the accommodation section #1 with physicallocation X, the range BC₁ corresponds to the part of data (namely offsetB, length L2 ₁) to be de-transformed from the log 608-2 in theaccommodation section #1 with physical location X, the updated range C₁Ecorresponds to the new log 608-4 in the accommodation section #2 withphysical location Y, and the range ED corresponds to the part of data inlog 608-3 (namely offset E, length L3 ₁) in the accommodation section #1with physical location X. In the illustrated example, all data comprisedin the logs 608-1 and 608-4 are live, while part of the data comprisedin the logs 608-2 (namely range C₁C) and 608-3 (namely range CE) areoutdated. Updating the index section is further detailed with referenceto FIG. 9.

Referring to FIG. 7, there is illustrated a generalized flowchart ofcreating transformed logical data object in accordance with certainembodiments of the present invention. Upon receiving request 710 tostore a LO, the transformation system writes 711 the header of thetransformed LO to appropriate storage location (e.g. next to the end ofprevious stored logical data object), and allocates 1^(st) accommodationsection to accommodate the processed data. The initial header's recordcomprises the indication of transformation status (e.g. flag “ON”meaning that transformation is “in progress”; optionally, separate flagsfor different processes comprised in the transformation process, etc.).The transformation system also prepares 712 information (e.g. offset,size of data, etc.) related to the data chunk to be transformed.

In accordance with certain embodiments of the invention, thetransformation system is configured to hold certain criteria to bematched during transformation. The criteria may be related tocharacteristics of the logical data object, data chunk and/oraccommodation section and/or transforming operation or parts thereof.The criterion may be, for example, maximal length L_(max) of data to betransformed as one log; and/or maximal time T_(max) of receivingoriginal data to be transformed as one log; certain relationshipsbetween original and transformed data chunks and/or LO (e.g. minimalestimated or actual compression ratio; pre-defined type and/or format ofdata and/or LO, etc.

In certain embodiments of the invention the predefined criterion may berelated to transformation time of a data chunk and/or entire logicaldata object (e.g. maximal, estimated or actual, time of transformation(or steps thereof) of data chunk. This transformation time relatedcriterion may be limited by operational system time out, characteristicsof storage network and/or storage device, reliability requirements, etc.In some embodiments this criterion may be, for example, actualtransformation time of a data chunk, while in other embodiments thiscriterion may include, for example, chunk size, and/or type of dataand/or compression algorithm and/or other characteristics and acombination thereof allowing estimating the expected transformation timeof the data chunk. Accordingly, characteristics of the chunk to beobtained for comparing with this criterion may be the characteristicsallowing estimating the expected transformation time or actuallymeasured time of transformation. For transformation comprising more thanone process (e.g. compression and encryption), the transformation timecriterion may be related to each process separately and/or to the entiretransformation process.

The transformation system further verifies. 713 if the data chunk to betransformed fits a predefined criterion. The verification comprisesobtaining certain characteristics of the chunk and/or accommodationsection and/or transformation operation, and comparing them with saidcriterion. The characteristics may be obtained, for example, byidentifying certain parameters of the chunks (e.g. type of logicalobject, authorization marks, size, etc.), and/or by estimation ofexpected transformation results based upon observable characteristics(e.g. size, type of data, etc.), and/or by providing actualtransformation (or parts thereof) and identifying result(s).

If the criterion is matched, the transformation system processes 714 thedata chunk and facilitates its accommodation in the accommodationsection as a log comprising the data in transformed form. The previouslyprepared log-related information (offset, size, etc.) may be writtenwithin the log in transformed and/or non-transformed form. Saidinformation may also comprise indication (e.g. flag) of form of datacomprised in the log (e.g. transformed, not transformed, partlytransformed).

If the criterion is not matched (e.g., if the raw data chunk istransformed or supposed to be transformed during a period exceeding, forexample, 30 milliseconds, and/or compressed to not less than X % (say95%) of the original size, etc.), then the transformation systemfacilitates 715 accommodation of the data chunk in the accommodationsection as a log comprising data in non-transformed form. Fortransformation comprising more than one process the data chunks may beaccommodated in partly transformed form. For example, referring back tothe example illustrated with reference to FIG. 4, the compression of theoriginal chunk 402-4 into compressed chunk 403-4 is finished at t_(s4),while the encryption of the compressed chunk 403-3 into encrypted chunk404-3 is not complete till this moment. In certain embodiments thetransformation system may be configured to support transformationtime-related criterion requiring zero delay between end of compressionand start of encryption of the respective data chunk (and/or limitedtime of overall transformation process). In this case the transformationsystem may stop (or do not start) the encryption of the compressed chunk403-3, and accommodate the respective chunk 408-3 in partly transformedform. Alternatively, the transformation system may omit compressing thechunk (e.g. if there is an additional requirement to keep all dataencrypted), encrypt non-compressed data comprised in the chunk 402-3 andaccommodate the respective chunk 408-3 in partly transformed form.

Among advantages of processing in accordance with the transformationtime related criterion is the ability to facilitate transformation of alogical data object within a predefined time window, accordingly, tofacilitate, for example, on-line transformation while keeping dataintegrity, accessibility and availability, etc.

For fitting a certain criterion as, for example, maximal length L_(max)of data to be transformed as one log and/or maximal time T_(max) ofreceiving original data to be transformed as one log, the transformationsystem is configured to segment the received data range L and to processeach segment as a separated chunk.

Those skilled in the art will readily appreciate that in certainembodiments of the invention the operation 713 of verifying match tocertain criterion may be configured to be omitted (and/or the criterionmay be setup as “any chunk”), and accordingly, all data chunks shall betransformed by the transformation system.

After processing (714 or 715) of a given data chunk is completed, thecompression system prepares log-related information to be recorded inthe index section.

The transformation system further checks 716 if the raw logical dataobject comprises non-processed data and repeats 717 the process for thenext data chunk until at least one of the following is achieved: a) alldata in the LO are processed; b) there is not enough free space in theactive accommodation section to accommodate the next transformed datachunk. The transformation system updates 718 the index section, sendsacknowledgement to the clients 11 and/or servers 12 and, if started newAS, releases the access protection to the data in the previousaccommodation section if said protection was provided on a AS level. Theupdate of the index section may be provided substantially in parallelwith acknowledgement, when allocating the new AS and/or closing the LOand/or in accordance with other predefined rules.

As will be further detailed with reference to FIG. 9, if the free spacein the active accommodation section is insufficient to accommodate thenext data chunk (e.g. writing operation fails on target buffer overflow,estimated expected log size more than said free space, free space isless than size of data chunk to be processed or predefined part thereof,etc.), but still not all data in the LO are processed, thetransformation system allocates new accommodation section and repeats719 the operations for new data chunk(s). When all data are processed,the transformation system releases the access protection of the LO (ifsaid protection was provided for the entire LO).

The entries in the index section will comprise indication oftransformed/non-transformed/partly transformed form of data accommodatedin each of accommodation sections. This indication may be provided forentire accommodation section and/or each accommodated log. The header isprovided with corresponding indication of the status of the transformedLO. In certain embodiments of the invention this indication may be flag“OFF” (or other similar indication) meaning that the processing is“completed”, regardless of form of data accommodated in theaccommodation sections. In other embodiments of the invention the flag“OFF” may be provided only when all accommodation sections comprised inthe compressed LO accommodate data in the transformed form; until thismoment the flag (or other indication) in the header may be kept “ON” orhave some special indication that the processing is completed, but stillsome data are non-transformed or partly transformed.

Certain embodiments of the invention may further comprise postponedtransformation of non-transformed or partly transformed dataaccommodated in at least one accommodation section. Such postponedtransformation may be provided in accordance with apredefined/configurable time schedule (e.g. during non-working hours),per pre-defined event (e.g. administrator's request, absence of dataaccess-related request to given LO during predefined/configurable periodof time, available network bandwidths fitting predefined/configurablecriteria, etc.).

The process described with reference to FIG. 7 may be likewiseapplicable for updating existing logical data objects.

In certain embodiments of the invention, the criterion may be negative,for example data chunks may be accommodated in non-transformed or partlytransformed form by default, unless they match certain criterion (e.g.data type and/or application). Implementation of such embodiments isillustrated, by way of non-limiting example, in FIG. 8 for a case ofcompressing transformation.

Upon receiving request 810 to store a LO, the transformation systemwrites 811 the header of the transformed LO to appropriate storagelocation, and allocates 1^(st) accommodation section to accommodate theprocessed data. The initial header's record comprises the indication oftransformation status (e.g. flag “ON” meaning that transformation is “inprogress”; optionally, separate flags for different processes comprisedin the transformation process, etc.). The transformation system alsoprepares 812 information (e.g. offset, size of data, etc.) related tothe data chunk to be accommodated. The transformation system furtherwrites 813 the data chunk to the accommodation section as a logcomprising the data in non-compressed form. Optionally, before operation813, the transformation system verifies if the data chunk fits apredefined criterion requiring (e.g. mandatory or in accordance withfurther criterion) its compression before writing. The transformationsystem may further provide data padding to fit the entire size ofaccommodated data chunks to the size of AS.

The transformation system further checks 814 if the raw logical dataobject comprises non-processed data, updates 815 the index section, andsends acknowledgement to the clients 11 and/or servers 12. The processis repeated 816 for the next data chunk until all data in the LO areprocessed and accommodated (817, 816) in one or more accommodationsections thus giving rise to the transformed logical data object storedin accordance with certain embodiments of the present invention.

The log records in the index section comprise indication ofcompressed/non-compressed form of data in the accommodated logs;likewise, the indication may be provided for entire accommodationsection. The transformation system is scanning the accommodation sectionto find out one or more AS comprising non-compressed data, providescompression of the accommodated data, and sequentially accommodates 818the compressed data in newly allocated AS(s). The old accommodationsection is released 818 as was described, for example, with reference toFIG. 5.

Referring to FIG. 9, there is illustrated a generalized flowchart ofwrite operation on transformed logical data object (LO) in accordancewith certain embodiments of the present invention. A “write” request 90identifies the offset in the LO and the range L of data to write. Thetransformation system checks if there is an allocated accommodationsection, and, if not found, allocates 91 an active accommodation section(AS accommodating the last log). Further, the transformation systemchecks if the data range does not exceed predefined maximal lengthL_(max) of original data to be transformed as one log and creates arecord comprising the offset, length and data to be transformed; assignsto this record a flag corresponding to the flag of allocated AS; andtransforms 92 (e.g. compresses, encrypts, compresses & encrypts, etc.)said record. When applicable for certain transformation, the compressionis provided with the same dictionary and/or the encryption is providedwith the same key for encryption as the previous chunk of data.

The resulting log is written 93 to the active accommodation section ifthe last comprises enough free space to accommodate the log. Therespective information (if any) related to the secure key (or otherexternal data involved in the transformation) is stored in the logsand/or in the accommodation section (e.g. section header) and/or in theindex section in non-encrypted form.

If the free space is insufficient (e.g. writing operation fails ontarget buffer overflow, estimated expected log size more than said freespace, etc.) the transformation system allocates 94 a new accommodationsection. Allocation of the new AS includes assigning the physicallocation and assigning the flag as described with reference to FIG. 5.In certain embodiments of the invention allocating of new AS may includealso writing a pointer to said section in the currently active AS.

If the free space in the active AS is insufficient to accommodate theentire log, but meets a predefined criterion (e.g. more than predefinedsize, more than predefined ratio of entire required space, etc.), thetransformation system splits 95 the original chunk into two parts andprocesses them into two logs, writing one in the active AS and thesecond in the new AS. In certain embodiments of the invention, thetransformation system de-transforms (e.g. decrypts and/or decompressesthe active AS) or otherwise calculates or estimates the entire size oforiginal data accommodated in the active AS, and estimates the size oforiginal data to be added so that the transformed size of entire datasubstantially matches the predefined size of AS, thus enabling the splitwith maximal filling of the active AS.

If the free space in the active AS does not meet said criteria, theentire log will be written 96 in the new accommodation section. Incertain embodiments of the invention writing the first log to a new ASmay be followed by marking the previously active AS as full and/orvirtually “correcting” the length of the last log (e.g. by padding data)as if the entire size of the accommodated logs is equal to thepredefined size of AS. When closing the LO, the accommodation sectionactive to that moment (i.e. with the last accommodated chunks) may bereduced to its real size.

After the log is written at the storage location, the transformationsystem sends acknowledgement 97 to the clients 11 and/or servers 12. Theupdate 98 of the index section may be provided substantially in parallelwith acknowledgement, when allocating the new AS and/or closing the LOand/or in accordance with other predefined rules.

If the data range L to be written exceeds the predefined maximal lengthL_(max) of original data to be transformed as one log, thetransformation system segments the original data in accordance withL_(max) and repeats the process for each segmented chunk of data untilall the data to be written are processed and accommodated into theaccommodation section(s). Likewise, if the time of receiving the datarange to be written exceeds the predefined maximal time T_(max) ofreceiving original data to be transformed as one log, the transformationsystem segments the data range L in accordance with T_(max) and repeatsthe process for each segmented chunk.

The index section update includes adding a log record related to a newlog and updating, accordingly, previous log records related to liveand/or outdated data comprised in the corresponding range. Said new logrecord comprises information related to the offset (Pos_(L)) and size(Size_(L)) of the original chunk transformed into said log, as well asidentification and, optionally, flag of the corresponding accommodationsection. The update of appropriate log records may be provided inaccordance with the following procedure:

-   -   1) look over all log records (Pos, Size) in the index section(s)        for log record comprising position (Pos) such that        Pos≦Pos_(L)<Pos+Size_(L):        -   a. if found, update such log record to (Pos, Pos_(L)−Pos),            and go to 2);        -   b. if not found—end update.    -   2) compare Size_(L) with Size−Pos_(L)−Pos:        -   a. if more, find all log records (Pos₁, Size₁) such that            Pos_(L)≦Pos₁<Pos_(L)+Size_(L). Among said log records find            log record with maximal position, update it to            (Pos_(L)+Size_(L), Size₁−(Size_(L)−Pos₁)), delete other log            records among said log records and end update;        -   b. if less, add log record (Pos_(L)+Size_(L),            Size−(Pos_(L)+Size_(L)−Pos)) and end update;        -   c. if equal, end update.

Those skilled in the art will readily appreciate that the invention is,likewise, applicable to any other procedure of index section updatefacilitating one-to-one relationship between data in the original rangeand data to be de-transformed from the logs. For example, the update maybe provided in accordance with the following recursive procedure:

-   -   1) prepare new log record comprising position (Pos_(L)) and size        (Size_(L)).    -   2) look over all log records (Pos, Size) in the index section(s)        for log record comprising position (Pos) such that        Pos≦Pos_(L)<Pos+Size_(L):        -   a. if found, update such log record to (Pos, Pos_(L)−Pos),            and go to 3);        -   b. if not found, add log record (Pos_(L), Size_(L)) to the            index table and end update.    -   3) compare Size_(L) with Size−Pos_(L)−Pos:        -   a. if more, add log record (Pos_(L), Size−Pos_(L)−Pos).            Change Pos_(L) to new Pos_(L) ¹=Pos+Size and change Size_(L)            to Size_(L) ¹=Size_(L)−(Pos_(L) ¹−Pos_(L)) and return to 2).        -   b. if less, add log records (Pos_(L), Size_(L))            and(Pos_(L)+Size_(L), Size−(Pos_(L)+Size_(L)−Pos)) and end            update;        -   c. if equal, add log record (Pos_(L), Size_(L)) and end            update.

It should be noted that among advantages of certain embodiments of thepresent invention is the ability of writing the new data withoutdecrypting and/or decompressing or otherwise de-transforming alreadywritten data and/or otherwise rewriting the written data. Only new dataare transformed and accommodated, while the index section is updatedaccordingly and is configured to assist in reading the transformedlogical data object.

Referring to FIG. 10, there is illustrated a generalized flowchart ofread operation on transformed logical data object (LO) in accordancewith certain embodiments of the present invention.

The read operation starts with read request 100 identifying the offsetof data in the LO and the range of data to read. The transformationsystem 16 addresses all index sections (e.g. sequentially starting fromthe last section or from the currently open; or opening all together,etc.) to find out 101 all last updated entries related to the datawithin the range. As was detailed with reference to FIG. 5, thelast-updated entries in the index section facilitate one-to-onerelationship between the data in the range and the live (mostly updated)data to be extracted from the transformed data chunks (logs).Accordingly, the transformation system sequentially de-transforms 102(e.g. decrypts, decompresses, etc.) one of the accommodation sectionscorresponding to found entries, finds the required data 83. In certainembodiments of the invention the operation 102 starts with accommodationsection comprising data from the very end of the range to be read. Theoperations 102-103 are repeated 104 to the next accommodation section(s)until all data from the range have been found. The found data arearranged 105 in accordance with their order in the range. After the dataare ready, they may be sent 106 to an application.

In certain embodiments of the invention the stored transformed logicalobject may be optimized. The optimization may be provided by scanningthe accommodation sections (e.g. by analyzing entries in the indexsection(s)) to find out one or more AS comprising more than predefinedpercent (e.g. 90%) of outdated data. Such AS are de-transformed, thelive data are extracted and transformed and stored in the activeaccommodation section as a new log(s) and the old accommodation sectionis released. The transformation system keeps the list of releasedaccommodation sections and uses the corresponding physical location whenallocating a new accommodation section. As was described with referenceto FIG. 5, the new allocated AS and logs thereof will have the flagopposite to the flag of the old accommodation section. Said optimizationmay be provided when closing the logical object, per predefinedschedule, pre-defined event(s), etc.

Among advantages of certain embodiments of the present invention is thecapability to recover (and/or create) an index section in accordancewith information comprised in the accommodation section. For example, ifthe recovery flag of the opening logical data object is “ON”, thetransformation system initiates a recovery process. The recovery processstarts with checking if the transformed logical object comprises one ormore non-indexed accommodation sections (i.e. the accommodation sectionsdo not comprise at least one log having a corresponding log record in atleast one index section).

During recovery, the logs in such non-indexed AS are sequentiallyde-transformed in reverse order starting from the last log until (if) alog with an opposite flag is found (i.e. a log that belongs to the oldand released AS, and comprises outdated data). The transformation systemgenerates entries corresponding to the de-transformed logs, saves themin the memory and/or writes to the index section. The logs aretransformed back (and/or are temporary kept de-transformed, e.g.decrypted, decompressed, etc., if the recovered accommodation sectioncomprises data to be read) and the recovery flag is switched to “OFF”.

A failure may also occur when, for example, a new log has been providedwith the corresponding log record in the index section, but otherappropriate entries have not been updated yet. When reading such atransformed logical object, the transformation system may findinconsistency between data (more than one entry for the same point inthe range) and correct the index section in accordance with the mostlyupdated entries (corresponding to latest logs related to the samerange).

Referring to FIG. 11 a, there is illustrated a generalized flowchart ofread operation in response to data request with specified point in timeto be read. As was detailed with reference to FIGS. 2-9, the new datachunks are transformed and written for storage without de-transformingand/or otherwise rewriting already written data, while the index sectionis updated accordingly. Each entry of the index section comprisespointer(s) (or other indicators) to physical storage location of theaccommodation section and one or more log records. Also it was detailedthat, simultaneously with the last-updated records, the entry maycomprise previously-updated (and/or original) records related to thesame logs and special marking for differentiating between old andupdated records. In accordance with certain embodiments of the presentinvention each log record comprises or is otherwise associated with timestamps indicating the time of updating said log record and respectiveoffset and length of data to be read in accordance with said log record,wherein the entry comprises one or more log records with respect to thesame log and bearing different time stamps. Among advantages of suchtechnique is a capability of keeping every change made to data and timethereof, which allows a user or an administrator to access historicaldata by specifying the desired point in time or time range.

The read operation starts with read request 110 indicating the desiredpoint in time to be accessed and identifying the respective offset andlength of data to be read. The transformation system 16 addresses allindex sections (e.g. sequentially starting from the last section or fromthe currently open; or opening all together, etc.) to find out 111corresponding entries, i.e. entries related to the data within the rangeand comprising log records with time stamps prior or equal to thedesired time T. The transformation system further selects 112 the lastupdated entries/log records among said corresponding entries/logrecords, sequentially de-transforms 113 (e.g. decrypts, decompresses,etc.) one of the accommodation sections corresponding to the selectedentries, finds the required data 114 and keeps them in cache. Theoperations 113-114 are repeated 115 to the next accommodation section(s)until all data from the range and corresponding to desired point in timehave been found. The found data are arranged 116 in accordance withtheir order in the range. After the data are ready, they may be sent 117to an application.

Likewise, the read operation may be provided for several desired pointsin time simultaneously. It should be noted that although the describedembodiments allow reading different versions of the original data, thereis still kept a one-to-one relationship between each point in theoriginal data range and the data to be read from the logs afterde-transformation.

The transformation system may further provide optimization of the storedtransformed logical object in a manner similar to detailed withreference to FIG. 10. The optimization may be provided by analyzingentries in the index section(s)) to find out one or more outdated AS,i.e. AS comprising more than predefined percent (e.g. 90%) of dataassociated with time stamps meeting certain criterion, such data areconsidered outdated. The criterion may be related to time (e.g. timestamps prior to predefined and/or pre-configurable time), and/or numberof time stamps related to the same point in the original data (i.e. notmore than three time stamps and, accordingly, backward saved changes),and/or certain events (e.g. providing full backup of the stored data),etc. Such outdated AS is de-transformed, the live data are extracted andtransformed and stored in the active accommodation section as a newlog(s) keeping originally associated time stamps, and the oldaccommodation section is released. Said optimization may be providedwhen closing the logical object, per predefined schedule, pre-definedevent(s), etc.

Referring to FIG. 11 b, there is illustrated a schematic diagram ofindex section illustrated with reference to FIG. 6 b and comprising timestamps in accordance with certain embodiments of the present invention.

As was illustrated with reference to FIGS. 6 a-b, chunks of data 601-1,601-2 and 601-3 constituting the original LO were transformed intosequential logs 608-1, 608-2 and 608-3 accommodated in the accommodationsection #1. New data chunk 601-4 having length L4 has further replacedthe data in the original LO starting from offset C₁, where (C₁+L4)=E<D.The index section 118 illustrated in FIG. 11 b comprises log recordswith time stamps, the log records informing the range AB (offset A,length L1) was transformed into log 608-1 accommodated at 11:00, therange BC (offset B, length L2) was transformed into log 608-2accommodated at 11:01; the range CD (offset C, length L3) wastransformed into the log 608-3 accommodated at 11:16. Accommodation at12:03 of log 608-4 corresponding to the updated range C₁E (offset C₁,length L4) was followed by update of relevant log records. Accordingly,log records of the log 608-2 and 608-3 were updated at 12:03. Theupdated log records mean that the log 608-2 comprises live datacorresponding to offset B, length L2 ₁, and the log 608-3 comprises livedata corresponding to offset E, length L3 ₁. If the read requestcomprises, for example, desired time 12:30, the transformation systemwill find all log records with time stamp less than 12:30 and willselect the last-updated (608-1-1, 608-2-2, 608-3-2, 608-42) recordsindicating what data are relevant to the desired point in time. If theread request comprises, for example, desired time 11:10, thetransformation system will find all log records with time stamp lessthan 11:100 and will select the last-updated (608-1-1, 608-2-1)accordingly.

Referring to FIG. 12 a, there is a schematic diagram illustrating anon-limiting example of encrypting a plaintext chunk (e.g. originalchunk, compressed chunk, otherwise transformed chunk) in accordance withcertain embodiments of the present invention.

In the illustrated embodiment the transformation system is capable tobreak a plaintext chunk into segments with fixed-size A (when necessary,the segments are rounded to said fixed size) and to encrypt eachplaintext segment of the chunk into encrypted segment with fixed-size B,rounding the encrypted segments, when necessary, to said fixed size B.In the illustrated embodiments A=B=16 byte. When rounding, thetransformation system enters padding data (e.g. random characters,blanks, zeros, and nulls) to satisfy the data segment size requirements.In such embodiments the size of accommodation section may be defined asa multiple of the fixed size B.

As was detailed with reference to FIGS. 3-6, the logs accommodated inthe same accommodation section are encrypted with the same secure key.The security may be further increased by introducing additionalcryptographic variance for different logs, e.g. initialization vector(IV). The initialization vector is a non-secret continuously changingnumber used as an initializing input algorithm for the encryption of aplaintext block sequence. Accordingly, in certain embodiments of thepresent invention, the transformation system is configured to obtain(e.g. generate as a random number) initialization vectors to be usedtogether with secure key for encryption of the compressed chunks intoencrypted logs. The IVs are accommodated in headers of respective logs.

By way of non-limiting example, the transformation system may implementknown in the art Advanced Encryption Standard (AES) by US NationalInstitute of Standards and Technology (NIST). The AES algorithm iscapable of using cryptographic keys of 128, 192, and 256 bits to encryptand decrypt data in blocks of 128 bits. As known in the art, certainmodes of AES algorithm enable to use the initialization vector (IV)linearly added to (XORed with) the first chunk of plaintext or includedin front of the plaintext prior to encryption with the secure key.Accordingly, the transformation system may be configured to generate(e.g. randomly) initialization vectors for the first log in eachaccommodation section, and further generate the IVs for sequential logsby applying XOR operation.

As the accommodation section serves as an atomic element ofencryption/decryption operations, the initial IV and secure key relatedinformation may be held, in certain embodiments, in an accommodationsection header with no need for accommodation in the logs headers.

As illustrated by way of non-limiting example in FIG. 12 a, plaintextchunks (e.g. original chunks, compressed chunks, otherwise transformedchunks, etc.) 1201-1 (size 33 bytes), 1201-2 (size 50 bytes) and 1201-3(size 17 bytes) are encrypted with the same key into respectivesequential logs 1207-1 (size 48 bytes, including 15 bytes of paddingdata+header), 1207-2 (size 64 bytes, including 14 bytes of paddingdata+header) and 1207-3 (size 32 bytes, including 15 bytes of paddingdata+header) accommodated in the accommodation section 1205-1. Asillustrated, the sizes of the encrypted data in the logs are rounded asmultiples of 16. Each log comprises information (e.g. in a log header)about actual size of original data encrypted in respective log and,optionally, respective initialization vector and size of chunk beforeencryption (if differs from the original chunk). The information relatedto the secure key and initial initialization vector may be stored in theaccommodation section (e.g. AS header) and/or index section and/orheader 1204 of the transformed logical data object.

In accordance with certain embodiments of the present inventionillustrated in FIG. 12 b, plaintext chunks 1201-1 (size 33 bytes),1201-2 (size 50 bytes) and 1201-3 (size 17 bytes) are encrypted by thesame encryption engine as in FIG. 12 a, but in a maimer enabling tosubstantially eliminate padding data in the encrypted logs. A firstplaintext chunk is divided in two parts, the first part being referredto hereinafter as “primary data”, comprises sequential data startingfrom the offset and satisfies the data segment size requirements (e.g.multiples of 16 bytes), and the second part comprises the rest of thedata less than said data segment size and is referred to hereinafter as“tail data” (in the examples illustrated there are less than 16 bytes).The first part is encrypted and accommodated in the accommodationsection in a manner described with reference to FIGS. 3-6; therespective log is referred to hereinafter as “primary log”. The secondpart with tail data is processed as a separate sequential chunk and isaccommodated in the accommodation section in encrypted (or,alternatively, non-encrypted) form as a log (referred to hereinafter as“tail log”). The logs 1221 in the accommodation section correspond tothe divided chunk 1211, wherein the numbers in bold italics illustratethe respective data sizes.

When processing a next chunk, the encryption system obtains theplaintext tail data from the tail log, adds said tail data at thebeginning of said next chunk, divides the generated combination inprimary data and tail data in a manner above; then encrypts the primarydata in the primary log and the tail data in the tail log using the samesecure key. The new primary log shall be accommodated at a positionafter the previous primary log. Total actual size of plaintext dataaccommodated in the logs is updated respectively (to 83 bytes in thecurrent example). Total actual size of respective plaintext data is heldand maintained in the header of the accommodation section and/orencrypted logical data object. As the size of encrypted data in theprimary logs is equal to the size of plaintext primary data, it is notnecessary to keep in the logs information about actual size ofrespective plaintext data. The information related to the secure key andinitial initialization vector may be stored in the encrypted section(e.g. AS header) and/or index section and/or header 1204 of theencrypted logical data object.

The process is repeated for each next chunk until there is enoughaccommodating place in the accommodation section, e.g. the logs 1222 inthe accommodation section correspond to the chunk 1211 and the dividedchunk 1212 while the primary log 1232 is positioned as continuation ofprevious primary log 1231; the logs 1223 in the accommodation sectioncorrespond to the chunk 1211, the chunk 1212 and the divided chunk 1213,while the primary log 1233 is positioned as continuation of previousprimary log 1232. Thus, the accommodation section comprises a sequenceof primary logs followed by one (or zero) tail log.

It should be noted that the method of processing a plaintext chunk to bestored as encrypted logs is applicable in a similar manner to any methodand system for encryption of logical data objects for storage comprisingsequential accommodation of encrypted chunks.

FIG. 13 illustrates a schematic functional block diagram of thetransformation system 16 in accordance with certain embodiments of thepresent invention. The transformation system comprises a ClientInput/Output (I/O) block 131 coupled to a session manager 132. The I/Oblock gets data access-related requests (e.g. read, write, set end offile/ truncate, etc.) and forwards them to the session manager.

A session starts by access request to a logical data object (e.g. LUNcapacity request as, for example, SCSI LUN capacity request command;open file request, etc.) and ends by disconnect request (e.g. “LUNdisconnect”, “close file”, etc.) received from the same IP address(user). The session manager 132 holds all the session's private data as,for example, source session address, session counters, session status,all instances for the buffers in use, etc. The session manager alsohandles blocking all the relevant resources when the logical data objectis open and releasing said resources on disconnect. The session managertransfers all requests to a dispatcher 133 operatively coupled to thesession manager. The dispatcher 133 is operatively coupled to a logicaldata object manager 134, a buffer manager 135 and a transformation unit136. The dispatcher 133 communicates with the logical data objectmanager 134 for data related transactions (e.g. Read, Write, set end offile, etc.) and the transformation unit 136 for transforming operationsin accordance with certain embodiments of the present invention.

The transformation unit is capable of compressing, encrypting and/orotherwise transforming data, and sending them to a physical disk througha storage I/O 138; as well as of reading data from the physical diskthrough the storage I/O, De-transforming (e.g. decrypting and/ordecompressing) the respective buffer and, optionally, of segmentingand/or combining original and/or partly transformed data chunks forfurther processing. The transformation unit may comprise one or moretransformation blocks responsible for certain transforming operations(e.g. compression-decompression block 136-1 operatively coupled with theencryption/decryption block 136-2), and is configured to facilitate datatransfer and necessary synchronization between said blocks. Thetransformation unit is also configured to report size of originallogical data object (and free storage capacity) in reply to “Capacitystatus”.

The transformation unit 136 is also configured to communicate with oneor more external platforms storing external information related to datainvolved in the transformation process (e.g. the secure keys forreceiving the keys and/or metadata thereof); to receive said theinformation, extract or generate the necessary data (e.g. key ID) and tomanage thereof. The received information may be temporary accommodatedin a trusted memory within the transformation system, wherein thetransformation unit block may provide a management of said information(e.g. to manage accommodation of certain keys in said memory for certaintime period in accordance with a certain policy). In certain embodimentsof the invention the encryption/decryption block 136-2 may furthergenerate one or more encryption initialization vectors to be used forencryption (e.g. together with secure keys).

The logical data object manager 134 is responsible for the ordering andmemory sharing by different logical data objects and parts thereof.

The buffer manager 135 manages memory buffer resources and isresponsible for allocating and releasing memory buffer for operations ofother blocks. The transformation system further comprises an integritymanager 137 coupled to the session manager, the buffer manager and thedata block manager. The integrity manager is responsible forsynchronization and general control of all processes in thetransformation system as, for example keeping the integrity of thelogical data objects, etc. It is also responsible for flashing thememory buffer to the physical disk(s) through the storage physical I/Ointerface 138, and reading when needed from the disk(s).

Those skilled in the art will readily appreciate that the invention isnot bound by the configuration of FIG. 13; equivalent and/or modifiedfunctionality may be consolidated or divided in another manner and maybe implemented in software, firmware, hardware, or any combinationthereof.

It is to be understood that the invention is not limited in itsapplication to the details set forth in the description contained hereinor illustrated in the drawings. The invention is capable of otherembodiments and of being practiced and carried out in various ways.Hence, it is to be understood that the phraseology and terminologyemployed herein are for the purpose of description and should not beregarded as limiting. As such, those skilled in the art will appreciatethat the conception upon which this disclosure is based may readily beutilized as a basis for designing other structures, methods, and systemsfor carrying out the several purposes of the present invention.

It will also be understood that the system according to the inventionmay be a suitably programmed computer. Likewise, the inventioncontemplates a computer program being readable by a computer forexecuting the method of the invention. The invention furthercontemplates a machine-readable memory tangibly embodying a program ofinstructions executable by the machine for executing the method of theinvention.

Those skilled in the art will readily appreciate that variousmodifications and changes can be applied to the embodiments of theinvention as hereinbefore described without departing from its scope,defined in and by the appended claims.

1. A method of encrypting a plaintext logical data object for storage ina storage device operable with at least one storage protocol, saidmethod comprising: a) in response to a respective request, creating inthe storage device an encrypted logical data object comprising a headerand one or more allocated encrypted sections with predefined size; b)processing one or more obtained variable size chunks of plaintext datacorresponding to the encrypting plaintext logical data object thusgiving rise to the processed data chunks, wherein at least one of saidprocessed data chunks comprises encrypted data resulting from saidprocessing; c) sequentially accommodating the processed data chunks intosaid encrypted sections in accordance with an order said chunks receivedfor accommodation, and d) facilitating mapping between the data in theplaintext logical data object and the data accommodated in the encryptedsections.
 2. The method of claim 1 wherein the mapping is provided witha help of at least one index section constituting a part of theencrypted logical data object, said index section comprising at leastone entry holding at least information related to processed data chunksaccommodated in at least one encrypted section and indication ofphysical storage location pertaining to said encrypted section.
 3. Themethod of claim 1 wherein the predefined size is equal for all encryptedsections.
 4. The method of claim 1 wherein the size of the encryptedsection is selected from a list of predefined sizes in accordance withcertain criterion.
 5. The method of claim 1 wherein data chunksaccommodated into the same encrypted section are encrypted with the helpof the same secure key.
 6. The method of claim 5 wherein data chunksaccommodated in different encrypted sections are encrypted with the helpof different secure keys.
 7. The method of claim 1 wherein theencryption comprises: a) breaking data in a plaintext data chunk intoplaintext fixed-size segments; b) encrypting each said segment of theplaintext data chunk into encrypted segment with a fixed-size, saidencrypted segments constituting corresponding encrypted data chunk. 8.The method of claim 1 wherein the encryption comprises: a) obtaining atleast one initial initialization vector; b) encrypting the plaintextchunks with the help of a security key combined with initialinitialization vector and/or derivatives thereof, wherein the securitykey is the same for data chunks accommodated into the same encryptedsection.
 9. The method of claim 1 wherein the header of encryptedlogical data object comprises a unique descriptor of the encryptedlogical data object and information related to a size of the plaintextlogical data object.
 10. The method of claim 1 wherein the encryptedsection further comprises a header containing a unique identifier of thesection.
 11. The method of claim 1 wherein the processed data chunks areaccommodated in a log form.
 12. The method of claim 11 wherein a log ofa processed data chunk comprises a log header containing information inrespect of an offset of the plaintext data chunk within the plaintextlogical data object, size of said plaintext chunk, and an identifierallowing associating the log with the encrypted section accommodatingthe log.
 13. The method of claim 11 wherein the encrypted logical dataobject comprises at least one index section, said section comprising atleast one entry associated with at least one encrypted section, theentry comprising at least one indicator to physical storage location ofthe encrypted section and one or more log records related to therespective logs accommodated in the encrypted section and comprisinginformation facilitating mapping between the data in the plaintextlogical data object and the data accommodated in the encrypted sections.14. The method of claim 1 wherein each encrypted section is associatedwith a flag indicating a use/re-use condition of respective physicallocation of the encrypted section, and each processed data chunk isassociated with the same flag as the encrypted section accommodating thechunk.
 15. The method of claim 2 wherein at least one index section iscreated substantially when creating the encrypted logical data object.16. The method of claim 2 wherein at least one index sections is createdat a certain time after allocating one or more encrypted sections, butnot later than closing the logical data object.
 17. The method of claim2 wherein the header of the encrypted logical data object comprises anindicator to the first index section and each index section has anindicator to the next sequential index section if such exists.
 18. Acommunication device operable in a storage network being configured toperform the method stages of claim
 1. 19. A storage device operable in astorage network being configured to perform the method stages ofclaim
 1. 20. A system capable of encrypting a plaintext logical dataobject for storage in a storage device operatively coupled to the systemin a serial manner, said system acting as a transparent bridge inrespect to the storing data and being configured to perform the methodstages of claim
 1. 21. The method of claim 1 operable with at least fileaccess storage protocol.
 22. The method of claim 1 operable with atleast block mode access storage protocol.
 23. A method of writing a datarange to the encrypted logical data object created in accordance withclaim 1, said method comprising: a) in response to respective request,processing one or more obtained chunks of plaintext data correspondingto said data range, wherein at least one of the processed data chunkscomprises encrypted data resulting from said processing; b) sequentiallyaccommodating the processed data chunks in accordance with the orderthese and previous chunks received for accommodation; and c) updatingthe mapping in a manner facilitating one-to-one relationship between thedata in the range and the data to be read from the data chunksaccommodated in the encrypted logical object.
 24. The method of claim 23wherein, depending on a free space comprised in an active encryptedsection, a new data chunk is accommodated in an active encrypted sectionand/or in a new encrypted section.
 25. The method of claim 23 whereinupdating the mapping comprises: a) adding information related to all newdata chunks, said information related to the offset and size of therespective plaintext data chunks, and b) updating the previous obtainedinformation related to live and/or outdated data corresponding to therange.
 26. A method of reading a data range from a encrypted logicalobject created in accordance with claim 2, said method comprising: a) inresponse to respective request, discovering all created and/orlast-updated entries in the index section related to the data within therange; b) decrypting one of the encrypted sections corresponding to thediscovered entries, and extracting the data to be read in accordancewith the mapping provided by the entries; c) repeating step b) to oneore more other encrypted sections corresponding to the discoveredentries until extracting all data from the range; and d) arranging theextracted data in accordance with their order in the range.
 27. Themethod of claim 2 wherein one or more index sections are created byusing information comprised in one or more encrypted sections.
 28. Themethod of claim 1 further comprising optimization of the encryptedlogical data object, said optimization including: a) identifying one ormore encrypted sections comprising more than certain percent of outdateddata thus giving rise to outdated encrypted sections; b) decrypting theidentified outdated sections and extracting live data; c) encrypting theextracted live data and sequentially accommodating in an activeencrypted section as one or more new processed chunks; and d) releasingthe outdated encrypted sections from the encrypted logical data object.29. A method of recovery a encrypted logical data object created inaccordance with claim 13, said method comprising: a) initiating arecovery process upon recognizing a recovery status when opening alogical data object; b) inspecting the encrypted logical object in orderto find one or more unmapped encrypted sections, wherein unmappedencrypted section comprises at least one un-mapped processed data chunk;c) sequentially decrypting in reversed order the processed data chunkscomprised in said unmapped encrypted sections, starting from the lastprocessed data chunk until a data chunk with an opposite flag is found;d) generating an index section with one or more entries corresponding tothe decrypted processed data chunks; and e) re-processing the decryptedchunks and providing indication of successful recovery.
 30. A method ofencrypting a plaintext logical data object for storage in a storagedevice operable with at least one storage protocol, said methodcomprising: a) in response to a respective request, creating in thestorage device a encrypted logical data object comprising a header andone or more allocated encrypted sections with predefined size; b)encrypting one or more obtained variable size chunks of plaintext datacorresponding to the plaintext logical data object thus giving rise tothe encrypted data chunks; and c) sequentially accommodating theprocessed data chunks into said encrypted sections in accordance with anorder said chunks received for accommodation, wherein said encryptedsections serve as atomic elements of encryption/decryption operationsduring input/output transactions on the logical data object.
 31. Themethod of claim 30 further comprising enabling for each encryptedsection substantial identity between data could be obtained from saidencrypted section if being decrypted and the data in the respectiveplaintext data chunks accommodated in said section as a result of saidencrypting.
 32. A method of writing a data range to an encrypted logicaldata object stored in a storage device operable with at least onestorage protocol, said encrypted logical data object comprising aheader, an index section and one or more encrypted sections withpredefined size, said sections sequentially accommodating encrypted datachunks resulting from encryption of a respective logical data object,said method comprising: a) in response to respective request, encryptingone or more obtained variable size chunks of plaintext datacorresponding to said data range thus giving rise to the encrypted datachunks; b) sequentially accommodating the encrypted data chunks inaccordance with the order these and previous chunks received foraccommodation; and c) updating the index section in a mannerfacilitating one-to-one relationship between the data in the range andthe data to be read from the data chunks accommodated in the encryptedlogical object.
 33. A method of reading a data range from a encryptedlogical data object stored in a storage device operable with at leastone storage protocol, said encrypted logical data object comprising aheader, one or more encrypted sections with predefined size, saidsections sequentially accommodating encrypted data chunks resulting fromencryption of a respective logical data object, and an index sectioncomprising at least one entry holding at least information related torespective encrypted data chunks and indication of physical storagelocation pertaining to said encrypted section, said method comprising:a) in response to respective request, discovering all created and/orlast-updated entries in the index section related to the data within therange; b) decrypting one of the encrypted sections corresponding to thediscovered entries, and extracting the data to be read in accordancewith the mapping provided by the entries; c) repeating step b) to oneore more other encrypted sections corresponding to the discoveredentries until extracting all data from the range; and d) arranging theextracted data in accordance with their order in the range.
 34. A systemcapable of encrypting a plaintext logical data object for storage in astorage device operable with at least one storage protocol, said systemcomprising: a) means for creating in the storage device a encryptedlogical data object comprising a header and one or more allocatedencrypted sections with predefined size; b) sequentially means forprocessing one or more obtained variable size chunks of plaintext datacorresponding to the encrypting plaintext logical data object thusgiving rise to the processed data chunks, wherein at least one of saidprocessed data chunks comprises encrypted data resulting from saidprocessing; c) means for facilitating sequentially accommodating theprocessed data chunks into said encrypted sections in accordance with anorder said chunks received for accommodation; and d) means forfacilitating mapping between the data in the plaintext logical dataobject and the data accommodated in the encrypted sections.
 35. A methodof encrypting sequential plaintext chunks to be stored as encrypted logsin a storage device operable with at least one storage protocol, saidencrypting provided with a help of encryption engine operating datasegments with fixed size, the method comprising: a) dividing a firstplaintext chunk into two parts thus giving rise to a primary part and atail part, wherein the primary part comprises sequential data startingfrom the offset of said first chunk and having size defined as amultiple of said fixed size, and the tail part comprises the rest dataof said first chunk, said rest of the data less than said fixed size; b)encrypting the primary part with a secure key and accommodating theresults in the storage device as an encrypted log, thus giving rise to afirst primary log; c) processing the tail part and accommodating theresults in the storage device sequentially after the primary log, thusgiving rise to a first tail log; d) obtaining a next plaintext chunk; e)obtaining the plaintext data from the first tail log, adding them at thebeginning of said next chunk, and dividing the result in a primary partcomprising sequential data starting from the offset of said obtainedplaintext data and having size defined as a multiple of said fixed size,and the tail part comprises the rest data of said next chunk, said restof data less than said fixed size; f) encrypting the primary part withsaid secure key in a next primary log, said next primary log to beaccommodated at a position after the first primary log; g) processingthe tail part and accommodating the results in the storage devicesequentially after said next primary log.
 36. A program storage devicereadable by machine, tangibly embodying a program of instructionsexecutable by the machine to perform method steps of encrypting aplaintext logical data object for storage in a storage device operablewith at least one storage protocol, said method comprising: a) inresponse to a respective request, creating in the storage device anencrypted logical data object comprising a header and one or moreallocated encrypted sections with predefined size; b) processing one ormore obtained variable size chunks of plaintext data corresponding tothe encrypting plaintext logical data object thus giving rise to theprocessed data chunks, wherein at least one of said processed datachunks comprises encrypted data resulting from said processing; c)sequentially accommodating the processed data chunks into said encryptedsections in accordance with an order said chunks received foraccommodation, and d) facilitating mapping between the data in theplaintext logical data object and the data accommodated in the encryptedsections.
 37. A computer program product comprising a computer useablemedium having computer readable program code embodied therein ofencrypting a plaintext logical data object for storage in a storagedevice operable with at least one storage protocol, said computerprogram product comprising: a) computer readable program code forcausing the computer to in response to a respective request, creating inthe storage device an encrypted logical data object comprising a headerand one or more allocated encrypted sections with predefined size; b)computer readable program code for causing the computer to process oneor more obtained variable size chunks of plaintext data corresponding tothe encrypting plaintext logical data object thus giving rise to theprocessed data chunks, wherein at least one of said processed datachunks comprises encrypted data resulting from said processing; c)computer readable program code for causing the computer to sequentiallyaccommodating the processed data chunks into said encrypted sections inaccordance with an order said chunks received for accommodation, and d)computer readable program code for causing the computer to facilitatemapping between the data in the plaintext logical data object and thedata accommodated in the encrypted sections.